Skip to content

feat: Inject runtime configuration for GH_APP in NGINX startup script #3962

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jason-ford-codecov wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: Inject runtime configuration for GH_APP in NGINX startup script #3962

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d86c07a
feat: Inject runtime configuration for GH_APP in NGINX startup script
jason-ford-codecov Jan 15, 2026
70f590c
feat: Base64 encode GH_APP in NGINX startup script for safer injection
jason-ford-codecov Jan 15, 2026
fb8f75a
feat: Make GH_APP injection idempotent in NGINX startup script
jason-ford-codecov Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docker/start-nginx.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ then
sed -i -r "s/[a-zA-Z]+\.BBS_URL/\"${BBS_SCHEME_BASE}:\/\/${BBS_BASE}\"/g" /var/www/app/gazebo/assets/*.js
fi

# Inject runtime config via window.configEnv
if [[ -n "${CODECOV_GH_APP}" ]]; then
echo "Setting GH_APP to ${CODECOV_GH_APP}"
sed -i 's|<head>|<head><script>window.configEnv=window.configEnv||{};window.configEnv.GH_APP="'"${CODECOV_GH_APP}"'";</script>|' /var/www/app/gazebo/index.html
Copy link

@cursor cursor bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unescaped special characters in env variable break sed

Medium Severity

The ${CODECOV_GH_APP} value is inserted directly into the sed replacement without escaping special characters. In sed replacement text, & means "insert matched pattern," so a value like my&app becomes my<head>app. Additionally, values containing ", \, or </script> would break the JavaScript syntax or HTML structure. The environment variable value needs to be sanitized or escaped before being used in the sed command.

Fix in Cursor Fix in Web

fi

export DOLLAR='$'
if [ "$CODECOV_FRONTEND_IPV6_DISABLED" ]; then
echo 'Codecov frontend ipv6 disabled'
Expand Down
Loading