From 1151b05c2df79a48dbef93a0e30b80bc93a7d203 Mon Sep 17 00:00:00 2001
From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 9 Jul 2025 10:58:41 +0200
Subject: [PATCH] Fix support for special characters in various environment
 variables (#35314)

Co-authored-by: Matt Jankowski <matt@jankowski.online>
---
 config/cache_buster.yml          |  4 ++--
 config/email.yml                 | 18 +++++++++---------
 config/mastodon.yml              | 10 +++++-----
 config/translation.yml           |  6 +++---
 config/vapid.yml                 |  4 ++--
 spec/configuration/email_spec.rb | 22 ++++++++++++++++++++++
 6 files changed, 43 insertions(+), 21 deletions(-)
 create mode 100644 spec/configuration/email_spec.rb

diff --git a/config/cache_buster.yml b/config/cache_buster.yml
index 709c0eba887..09d6cfc6eaf 100644
--- a/config/cache_buster.yml
+++ b/config/cache_buster.yml
@@ -1,5 +1,5 @@
 shared:
   enabled: <%= ENV.fetch('CACHE_BUSTER_ENABLED', 'false') == 'true' %>
-  secret_header: <%= ENV.fetch('CACHE_BUSTER_SECRET_HEADER', nil) %>
-  secret: <%= ENV.fetch('CACHE_BUSTER_SECRET', nil) %>
+  secret_header: <%= ENV.fetch('CACHE_BUSTER_SECRET_HEADER', nil)&.to_json %>
+  secret: <%= ENV.fetch('CACHE_BUSTER_SECRET', nil)&.to_json %>
   http_method: <%= ENV.fetch('CACHE_BUSTER_HTTP_METHOD', 'GET') %>
diff --git a/config/email.yml b/config/email.yml
index a6d34c30068..f39aa2545ae 100644
--- a/config/email.yml
+++ b/config/email.yml
@@ -2,14 +2,14 @@
 # keys are added here.
 production:
   delivery_method: <%= ENV.fetch('SMTP_DELIVERY_METHOD', 'smtp') %>
-  from_address: <%= ENV.fetch('SMTP_FROM_ADDRESS', 'notifications@localhost') %>
-  reply_to: <%= ENV.fetch('SMTP_REPLY_TO', nil) %>
-  return_path: <%= ENV.fetch('SMTP_RETURN_PATH', nil) %>
+  from_address: <%= ENV.fetch('SMTP_FROM_ADDRESS', 'notifications@localhost')&.to_json %>
+  reply_to: <%= ENV.fetch('SMTP_REPLY_TO', nil)&.to_json %>
+  return_path: <%= ENV.fetch('SMTP_RETURN_PATH', nil)&.to_json %>
   smtp_settings:
     port: <%= ENV.fetch('SMTP_PORT', nil) %>
-    address: <%= ENV.fetch('SMTP_SERVER', nil) %>
-    user_name: <%= ENV.fetch('SMTP_LOGIN', nil) %>
-    password: <%= ENV.fetch('SMTP_PASSWORD', nil) %>
+    address: <%= ENV.fetch('SMTP_SERVER', nil)&.to_json %>
+    user_name: <%= ENV.fetch('SMTP_LOGIN', nil)&.to_json %>
+    password: <%= ENV.fetch('SMTP_PASSWORD', nil)&.to_json %>
     domain: <%= ENV.fetch('SMTP_DOMAIN', ENV.fetch('LOCAL_DOMAIN', nil)) %>
     authentication: <%= ENV.fetch('SMTP_AUTH_METHOD', 'plain') %>
     ca_file: <%= ENV.fetch('SMTP_CA_FILE', '/etc/ssl/certs/ca-certificates.crt') %>
@@ -22,9 +22,9 @@ production:
   bulk_mail:
     smtp_settings:
       port: <%= ENV.fetch('BULK_SMTP_PORT', nil) %>
-      address: <%= ENV.fetch('BULK_SMTP_SERVER', nil) %>
-      user_name: <%= ENV.fetch('BULK_SMTP_LOGIN', nil) %>
-      password: <%= ENV.fetch('BULK_SMTP_PASSWORD', nil) %>
+      address: <%= ENV.fetch('BULK_SMTP_SERVER', nil)&.to_json %>
+      user_name: <%= ENV.fetch('BULK_SMTP_LOGIN', nil)&.to_json %>
+      password: <%= ENV.fetch('BULK_SMTP_PASSWORD', nil)&.to_json %>
       domain: <%= ENV.fetch('BULK_SMTP_DOMAIN', ENV.fetch('LOCAL_DOMAIN', nil)) %>
       authentication: <%= ENV.fetch('BULK_SMTP_AUTH_METHOD', 'plain') %>
       ca_file: <%= ENV.fetch('BULK_SMTP_CA_FILE', '/etc/ssl/certs/ca-certificates.crt') %>
diff --git a/config/mastodon.yml b/config/mastodon.yml
index 31c2b2b7854..4585e1f2aee 100644
--- a/config/mastodon.yml
+++ b/config/mastodon.yml
@@ -2,14 +2,14 @@
 shared:
   experimental_features: <%= ENV.fetch('EXPERIMENTAL_FEATURES', nil) %>
   limited_federation_mode: <%= (ENV.fetch('LIMITED_FEDERATION_MODE', nil) || ENV.fetch('WHITELIST_MODE', nil)) == 'true' %>
-  self_destruct_value: <%= ENV.fetch('SELF_DESTRUCT', nil) %>
-  software_update_url: <%= ENV.fetch('UPDATE_CHECK_URL', 'https://api.joinmastodon.org/update-check') %>
+  self_destruct_value: <%= ENV.fetch('SELF_DESTRUCT', nil)&.to_json %>
+  software_update_url: <%= ENV.fetch('UPDATE_CHECK_URL', 'https://api.joinmastodon.org/update-check')&.to_json %>
   source:
-    base_url: <%= ENV.fetch('SOURCE_BASE_URL', nil) %>
+    base_url: <%= ENV.fetch('SOURCE_BASE_URL', nil)&.to_json %>
     repository: <%= ENV.fetch('GITHUB_REPOSITORY', 'mastodon/mastodon') %>
     tag: <%= ENV.fetch('SOURCE_TAG', nil) %>
   version:
-    metadata: <%= ENV.fetch('MASTODON_VERSION_METADATA', nil) %>
-    prerelease: <%= ENV.fetch('MASTODON_VERSION_PRERELEASE', nil) %>
+    metadata: <%= ENV.fetch('MASTODON_VERSION_METADATA', nil)&.to_json %>
+    prerelease: <%= ENV.fetch('MASTODON_VERSION_PRERELEASE', nil)&.to_json %>
 test:
   experimental_features: <%= [ENV.fetch('EXPERIMENTAL_FEATURES', nil), 'testing_only'].compact.join(',') %>
diff --git a/config/translation.yml b/config/translation.yml
index e074c5d0f22..75754928ee8 100644
--- a/config/translation.yml
+++ b/config/translation.yml
@@ -1,7 +1,7 @@
 shared:
   deepl:
-    api_key: <%= ENV.fetch('DEEPL_API_KEY', nil) %>
+    api_key: <%= ENV.fetch('DEEPL_API_KEY', nil)&.to_json %>
     plan: <%= ENV.fetch('DEEPL_PLAN', 'free') %>
   libre_translate:
-    api_key: <%= ENV.fetch('LIBRE_TRANSLATE_API_KEY', nil) %>
-    endpoint: <%= ENV.fetch('LIBRE_TRANSLATE_ENDPOINT', nil) %>
+    api_key: <%= ENV.fetch('LIBRE_TRANSLATE_API_KEY', nil)&.to_json %>
+    endpoint: <%= ENV.fetch('LIBRE_TRANSLATE_ENDPOINT', nil)&.to_json %>
diff --git a/config/vapid.yml b/config/vapid.yml
index c3ee806fd6a..49d8cd0de80 100644
--- a/config/vapid.yml
+++ b/config/vapid.yml
@@ -13,5 +13,5 @@
 # https://rossta.net/blog/using-the-web-push-api-with-vapid.html
 #
 shared:
-  private_key: <%= ENV.fetch('VAPID_PRIVATE_KEY', nil) %>
-  public_key: <%= ENV.fetch('VAPID_PUBLIC_KEY', nil) %>
+  private_key: <%= ENV.fetch('VAPID_PRIVATE_KEY', nil)&.to_json %>
+  public_key: <%= ENV.fetch('VAPID_PUBLIC_KEY', nil)&.to_json %>
diff --git a/spec/configuration/email_spec.rb b/spec/configuration/email_spec.rb
new file mode 100644
index 00000000000..2838beb6450
--- /dev/null
+++ b/spec/configuration/email_spec.rb
@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'Configuration for email', type: :feature do
+  context 'with special characters in SMTP_PASSWORD env variable' do
+    let(:password) { ']]123456789[["!:@<>/\\=' }
+
+    around do |example|
+      ClimateControl.modify SMTP_PASSWORD: password do
+        example.run
+      end
+    end
+
+    it 'parses value correctly' do
+      expect(Rails.application.config_for(:email, env: :production))
+        .to include(
+          smtp_settings: include(password: password)
+        )
+    end
+  end
+end