Skip to content

fix(env): fail safely on undecrypted environment ciphertext#4816

Closed
ETdoFresh wants to merge 1 commit into
Dokploy:canaryfrom
ETdoFresh:agent/fail-closed-encrypted-env
Closed

fix(env): fail safely on undecrypted environment ciphertext#4816
ETdoFresh wants to merge 1 commit into
Dokploy:canaryfrom
ETdoFresh:agent/fail-closed-encrypted-env

Conversation

@ETdoFresh

Copy link
Copy Markdown

Summary

  • reject raw enc:v1: values before they reach dotenv parsing
  • fail remote deployments with an actionable encryption-key consistency error instead of silently producing an empty environment
  • cover service, project, and environment-level variable scopes with regression tests

Root cause and impact

Environment encryption added in #4789 intentionally returns raw ciphertext from the Drizzle custom type when decryption fails. That keeps database reads available, but deployment code then passes the ciphertext to dotenv.parse().

An enc:v1:... payload is not a valid dotenv assignment, so it parses to an empty object. The Swarm application builder subsequently writes TaskTemplate.ContainerSpec.Env: [], silently removing every configured runtime variable while the deployment can still finish successfully.

This was observed on Dokploy Cloud v0.29.12 with a Dockerfile Application targeting a remote single-node Swarm:

  1. application.one returned all 9 configured environment keys.
  2. The same block parsed as all 9 keys with Dokploy's dotenv 16.4.5 dependency.
  3. Deploy and redeploy both completed with status done.
  4. Immediately afterward, the remote service had ContainerSpec.Env: [] and the container was missing all configured variables.
  5. A manual docker service update --env-add ... restored the service, but the next Dokploy deployment removed the variables again.

Because Dokploy Cloud dispatches remote deployments to the separate deployment service, the likely trigger is a web/worker version mismatch or inconsistent ENCRYPTION_KEY / BETTER_AUTH_SECRET. That infrastructure condition still needs to be corrected. This patch provides a safe execution boundary: undecrypted ciphertext can no longer be mistaken for an intentionally empty environment.

No secret values are included here.

Validation

  • pnpm --filter=dokploy exec vitest --config __test__/vitest.config.ts run __test__/env — 79 tests passed
  • pnpm --filter=@dokploy/server typecheck
  • pnpm --filter=dokploy typecheck
  • pnpm exec biome check packages/server/src/utils/docker/utils.ts apps/dokploy/__test__/env/shared.test.ts
  • git diff --check

Related context: #4516

@ETdoFresh

Copy link
Copy Markdown
Author

Sorry, didn't mean to put this here, was going to do this locally on my fork first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant