From d893aa148e92b0c9982ebdea45f719d4125aafef Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 27 Sep 2025 10:59:13 +0200 Subject: [PATCH 1/3] Do not put sensitive value into error message when the key can be printed as well. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 2 +- stores/dotenv/store.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index f24606f1c..7f4b07a46 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -242,7 +242,7 @@ func main() { var env []string for _, item := range tree.Branches[0] { if dotenv.IsComplexValue(item.Value) { - return cli.NewExitError(fmt.Errorf("cannot use complex value in environment: %s", item.Value), codes.ErrorGeneric) + return cli.NewExitError(fmt.Errorf("cannot use complex value in environment; key is %s", item.Key), codes.ErrorGeneric) } if _, ok := item.Key.(sops.Comment); ok { continue diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index d42db65c0..d163b7ead 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -139,7 +139,7 @@ func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { buffer := bytes.Buffer{} for _, item := range in[0] { if IsComplexValue(item.Value) { - return nil, fmt.Errorf("cannot use complex value in dotenv file: %s", item.Value) + return nil, fmt.Errorf("cannot use complex value in dotenv file; key is %s", item.Key) } var line string if comment, ok := item.Key.(sops.Comment); ok { From 3dda744d8deba5b67b75a826a6dbcd2797eb351f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sat, 27 Sep 2025 11:03:52 +0200 Subject: [PATCH 2/3] Move dotenv.IsComplexValue to stores. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 2 +- stores/dotenv/store.go | 11 +++-------- stores/stores.go | 11 +++++++++++ 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 7f4b07a46..1119476e6 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -241,7 +241,7 @@ func main() { var env []string for _, item := range tree.Branches[0] { - if dotenv.IsComplexValue(item.Value) { + if stores.IsComplexValue(item.Value) { return cli.NewExitError(fmt.Errorf("cannot use complex value in environment; key is %s", item.Key), codes.ErrorGeneric) } if _, ok := item.Key.(sops.Comment); ok { diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index d163b7ead..afe9b17c7 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -138,7 +138,7 @@ func (store *Store) EmitEncryptedFile(in sops.Tree) ([]byte, error) { func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { buffer := bytes.Buffer{} for _, item := range in[0] { - if IsComplexValue(item.Value) { + if stores.IsComplexValue(item.Value) { return nil, fmt.Errorf("cannot use complex value in dotenv file; key is %s", item.Key) } var line string @@ -176,14 +176,9 @@ func (store *Store) EmitExample() []byte { return bytes } +// DEPRECATED, use stores.IsComplexValue() instead! func IsComplexValue(v interface{}) bool { - switch v.(type) { - case []interface{}: - return true - case sops.TreeBranch: - return true - } - return false + return stores.IsComplexValue(v) } // HasSopsTopLevelKey checks whether a top-level "sops" key exists. diff --git a/stores/stores.go b/stores/stores.go index 4cd74b2f3..4d7f3788c 100644 --- a/stores/stores.go +++ b/stores/stores.go @@ -535,6 +535,17 @@ func HasSopsTopLevelKey(branch sops.TreeBranch) bool { return false } +// IsComplexValue returns true if the given value is an array or dictionary/hash. +func IsComplexValue(v interface{}) bool { + switch v.(type) { + case []interface{}: + return true + case sops.TreeBranch: + return true + } + return false +} + // ValToString converts a simple value to a string. // It does not handle complex values (arrays and mappings). func ValToString(v interface{}) string { From 4bd0a14e1f33d903526e6e7d3a2a2eecdb3bb67c Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Sun, 28 Sep 2025 07:43:45 +0200 Subject: [PATCH 3/3] Address review comments. Signed-off-by: Felix Fontein --- cmd/sops/main.go | 2 +- stores/dotenv/store.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/sops/main.go b/cmd/sops/main.go index 1119476e6..cfa968408 100644 --- a/cmd/sops/main.go +++ b/cmd/sops/main.go @@ -242,7 +242,7 @@ func main() { var env []string for _, item := range tree.Branches[0] { if stores.IsComplexValue(item.Value) { - return cli.NewExitError(fmt.Errorf("cannot use complex value in environment; key is %s", item.Key), codes.ErrorGeneric) + return cli.NewExitError(fmt.Errorf("cannot use complex value in environment; offending key %s", item.Key), codes.ErrorGeneric) } if _, ok := item.Key.(sops.Comment); ok { continue diff --git a/stores/dotenv/store.go b/stores/dotenv/store.go index afe9b17c7..e0fd2c69b 100644 --- a/stores/dotenv/store.go +++ b/stores/dotenv/store.go @@ -139,7 +139,7 @@ func (store *Store) EmitPlainFile(in sops.TreeBranches) ([]byte, error) { buffer := bytes.Buffer{} for _, item := range in[0] { if stores.IsComplexValue(item.Value) { - return nil, fmt.Errorf("cannot use complex value in dotenv file; key is %s", item.Key) + return nil, fmt.Errorf("cannot use complex value in dotenv file; offending key %s", item.Key) } var line string if comment, ok := item.Key.(sops.Comment); ok { @@ -176,7 +176,7 @@ func (store *Store) EmitExample() []byte { return bytes } -// DEPRECATED, use stores.IsComplexValue() instead! +// Deprecated: use stores.IsComplexValue() instead! func IsComplexValue(v interface{}) bool { return stores.IsComplexValue(v) }