fix(cli): prevent .env sanitizer from splitting GLM_API_KEY by LM_API_KEY suffix#17288
Merged
Conversation
…_KEY suffix The known-key splitter in `_sanitize_env_lines` used substring matching to find concatenated KEY=VALUE pairs. When a registered key was a suffix of another (LM_API_KEY is a suffix of GLM_API_KEY), the shorter key's needle would match inside the longer one, causing the sanitizer to rewrite `GLM_API_KEY=...` as `G\nLM_API_KEY=...` and silently break Z.AI/GLM auth (and similarly `GLM_BASE_URL` -> `G\nLM_BASE_URL`). Drop matches whose needle range is fully contained within a longer overlapping match. Two regression tests cover the suffix-collision case and confirm a real concatenation that happens to start with the longer key still splits where it should. Fixes #17138
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Salvage of #17141 by @jackjin1997 onto current main.
Fixes #17138.
_sanitize_env_linessearched every registered env key name as a substring with no word-boundary check.LM_API_KEY=(LM Studio) is a literal suffix ofGLM_API_KEY=(Z.AI/GLM), sodoctor— or any code path that sanitizes.env— rewrote user files fromGLM_API_KEY=...intoG\nLM_API_KEY=..., silently killing Z.AI auth. Same shape forGLM_BASE_URLvsLM_BASE_URL.Fix collects full
(start, end)ranges per match and drops ranges fully contained inside a longer overlapping match. Real concatenations (no nesting) still split.Validation
GLM_API_KEY=glm-secretG\nLM_API_KEY=glm-secretGLM_API_KEY=glmLM_API_KEY=lm-key(genuine concat)tests/hermes_cli/test_config.py::TestSanitizeEnvLinesContributor authorship preserved via rebase-merge.