feat: automatically update references when secrets are moved or updated

[varonix0]

Context

When a secret is renamed or moved, all secrets that reference it are now automatically updated to maintain valid references. Renaming a secret key updates all secrets that reference it in the same folder from ${OLD_KEY} to ${NEW_KEY}.

Moving a secret to a different folder/environment converts local references (${KEY}) to nested references (${env.path.KEY}) and vice versa. Works with approval workflows as well, references are updated when the rename/move request is merged. To properly support secret moves with approval workflows, I've added a new concept called "internal metadata" on the secret change requests, which keeps track of the source destination secret when a secret is moved. This is needed in order to know which secrets references to update once the request is approved.

When a secret reference is updated, secret syncs are triggered in the respective environments of where the secrets were updated. When a secret that references an updated secret is updated, a new commit is created for each of the secrets that have changed.

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR implements automatic secret reference updates when secrets are renamed or moved between folders/environments. The implementation handles both local references (${KEY}) and nested references (${env.path.KEY}), converting between them as needed during moves. The feature extends to approval workflows by tracking source locations via internal metadata.

Key changes:

• Added internalMetadata column to track secret move origins in approval workflows
• Implemented fnUpdateSecretLinkedReferences to update all references when a secret is renamed
• Implemented fnUpdateMovedSecretReferences to convert local ↔ nested references when secrets move
• Added new API endpoint GET /v4/secrets/:secretName/secret-references to list all secrets referencing a given secret
• Integrated reference updates into approval workflow merge process

Issues found:

• ReDoS vulnerability: Multiple uses of native regex instead of RE2 in new code (escapeRegex function, formatMultiValueEnv)
• SQL ambiguity: Column names in joins not qualified with table names, violating repository standards
• Documentation: No clear documentation exists for this feature discoverability

Confidence Score: 3/5

• This PR has security issues (ReDoS vulnerabilities) and SQL query problems that must be fixed before merging
• Score reflects critical security issues with native regex usage that could enable ReDoS attacks, plus SQL query ambiguities. The core logic for reference updates appears sound, but the ReDoS vulnerabilities are blocking issues that need immediate attention.
• Pay close attention to secret-reference-fns.ts, secret-v2-bridge-fns.ts, secret-v2-bridge-service.ts (ReDoS issues), and secret-v2-bridge-dal.ts (SQL ambiguities)

Important Files Changed

Filename	Overview
backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts	Added DAL methods for updating secret references, contains ambiguous column names in joins that need table qualification
backend/src/services/secret-v2-bridge/secret-reference-fns.ts	Refactored secret reference parsing functions into dedicated file, contains native regex usage vulnerable to ReDoS
backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts	Implemented core reference update logic for renames and moves, includes native regex usage in escapeRegex function
backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts	Integrated automatic reference updates on secret rename/move operations, contains native regex usage
backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts	Extended approval workflow to handle reference updates on approval merge for moved/renamed secrets

[greptile-apps]

_{5 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
Uses native regex in replace() which is vulnerable to ReDoS attacks. The code already imports RE2, but uses native regex here. Replace with RE2 instance.

function escapeRegex(str: string): string {
  const escapePattern = new RE2(/[.*+?^${}()|[\]\\]/g);
  return str.replace(escapePattern, "\\$&");
}

[varonix0]

Github actions are down. Will re-run tests once it's back up https://www.githubstatus.com/