Improper escaping of Environment variables generates invalid YAML

[markhc]

Describe the bug

Commit 12cb97d introduced quotes around environment variables on database.yml file.

This causes an issue when the credentials themselves have a double quote character (").

For instance, consider POSTGRES_PASSWORD to be abc"123. This will generate the following invalid YAML

production:
  <<: *default
  password: "abc"123"

And the following error:

Cannot load database configuration:
YAML syntax error occurred while parsing /app/config/database.yml. Please note that YAML must be consistently indented using spaces. Tabs are not allowed. Error: (<unknown>): did not find expected key while parsing a block mapping at line 13 column 3
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/configuration_file.rb:29:in `rescue in parse'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/configuration_file.rb:21:in `parse'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/configuration_file.rb:18:in `parse'
/gems/ruby/3.2.0/gems/railties-7.0.5/lib/rails/application/configuration.rb:335:in `database_configuration'
/gems/ruby/3.2.0/gems/activerecord-7.0.5/lib/active_record/railtie.rb:266:in `block (2 levels) in <class:Railtie>'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:95:in `class_eval'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:95:in `block in execute_hook'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:85:in `with_execution_control'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:90:in `execute_hook'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:60:in `block in on_load'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:59:in `each'
/gems/ruby/3.2.0/gems/activesupport-7.0.5/lib/active_support/lazy_load_hooks.rb:59:in `on_load'
/gems/ruby/3.2.0/gems/activerecord-7.0.5/lib/active_record/railtie.rb:262:in `block in <class:Railtie>'
/gems/ruby/3.2.0/gems/railties-7.0.5/lib/rails/initializable.rb:32:in `instance_exec'
/gems/ruby/3.2.0/gems/railties-7.0.5/lib/rails/initializable.rb:32:in `run'
/gems/ruby/3.2.0/gems/railties-7.0.5/lib/rails/initializable.rb:61:in `block in run_initializers'

To Reproduce

1. Set POSTGRES_PASSWORD to a value that contains a quote character "
2. Try to deploy the application

Expected behavior

It is expected that environment variables are properly escaped and that their values do not cause issues.

Environment

Docker

Cloud Provider

GCP

Platform

Browser

Operating system

No response

Browser and version

No response

Docker (if applicable)

No response

Additional context

No response

[markhc]

This is mostly a problem for passwords, which can easily contain the character. Possible solution is to do escaping with gsub:

production:
  <<: *default
  database: "<%= ENV.fetch('POSTGRES_DATABASE', 'chatwoot_production') %>"
  username: "<%= ENV.fetch('POSTGRES_USERNAME', 'chatwoot_prod') %>"
  password: "<%= ENV.fetch('POSTGRES_PASSWORD', 'chatwoot_prod').gsub(/"/){ |s| '\\' + s } %>"

[pranavrajs]

Related https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2999#note_738716423