From cc30d2288e224d97b95bdf3ba0c22c82e2fb8f8c Mon Sep 17 00:00:00 2001
From: Chris <christian@haschek.at>
Date: Mon, 20 Apr 2026 21:50:59 +0200
Subject: [PATCH] fix: sanitize API_KEY and BLOCK_PRIVATE_IPS in config
 generation

- Fix Issue 1: Normalize BLOCK_PRIVATE_IPS to safe boolean (true/false) using shell case statement to prevent PHP injection from non-boolean values like 'yes'
- Fix Issue 2: Strip single quotes from API_KEY to prevent PHP string injection if the value contains quotes
- Update docker-compose-dev.yml to document these configuration options

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 docker-compose-dev.yml |  2 ++
 docker/start.sh        | 11 +++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
index d6071a2..b6b4afa 100755
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -13,5 +13,7 @@ services:
 
     environment:
       - URL=http://localhost:8080
+      # - API_KEY=your-secret-key      # if set, all /api requests must provide it
+      # - BLOCK_PRIVATE_IPS=true       # block LAN/loopback/metadata IPs (recommended for public hosting)
     ports:
       - 8080:80
diff --git a/docker/start.sh b/docker/start.sh
index dd2fc98..49cdf9f 100755
--- a/docker/start.sh
+++ b/docker/start.sh
@@ -14,11 +14,18 @@ chmod 777 /srv/logs
 
 echo ' [+] Building config'
 _buildConfig() {
+    local block_private api_key
+    case "${BLOCK_PRIVATE_IPS:-false}" in
+        true|1|yes) block_private=true ;;
+        *)          block_private=false ;;
+    esac
+    api_key="${API_KEY:-}"
+    api_key="${api_key//\'/}"
     echo "<?php"
     echo "date_default_timezone_set('Europe/Vienna');"
     echo "define('URL','${URL:-http://localhost:8080}');"
-    echo "define('API_KEY','${API_KEY:-}');"
-    echo "define('BLOCK_PRIVATE_IPS',${BLOCK_PRIVATE_IPS:-false});"
+    echo "define('API_KEY','${api_key}');"
+    echo "define('BLOCK_PRIVATE_IPS',${block_private});"
     echo ""
 }