fix(systemd): scrub single-quoted env tokens

samzong · samzong · commit 6e842f604219 · 2026-05-20T11:43:03.000+08:00
Signed-off-by: samzong &lt;samzong.lu@gmail.com&gt;
diff --git a/src/daemon/arg-split.ts b/src/daemon/arg-split.ts
@@ -1,13 +1,21 @@
 type ArgSplitEscapeMode = "none" | "backslash" | "backslash-quote-only";
+type ArgSplitQuoteChar = '"' | "'";
+type ArgSplitQuoteStart = "anywhere" | "item-start";
 
 export function splitArgsPreservingQuotes(
   value: string,
-  options?: { escapeMode?: ArgSplitEscapeMode },
+  options?: {
+    escapeMode?: ArgSplitEscapeMode;
+    quoteChars?: readonly ArgSplitQuoteChar[];
+    quoteStart?: ArgSplitQuoteStart;
+  },
 ): string[] {
   const args: string[] = [];
   let current = "";
-  let inQuotes = false;
+  let quoteChar: ArgSplitQuoteChar | null = null;
   const escapeMode = options?.escapeMode ?? "none";
+  const quoteChars = new Set<ArgSplitQuoteChar>(options?.quoteChars ?? ['"']);
+  const quoteStart = options?.quoteStart ?? "anywhere";
 
   for (let i = 0; i < value.length; i++) {
     const char = value[i];
@@ -28,11 +36,18 @@ export function splitArgsPreservingQuotes(
       i++;
       continue;
     }
-    if (char === '"') {
-      inQuotes = !inQuotes;
-      continue;
+    if (quoteChars.has(char as ArgSplitQuoteChar)) {
+      if (quoteChar === char) {
+        quoteChar = null;
+        continue;
+      }
+      const canOpenQuote = quoteStart === "anywhere" || current.length === 0;
+      if (!quoteChar && canOpenQuote) {
+        quoteChar = char as ArgSplitQuoteChar;
+        continue;
+      }
     }
-    if (!inQuotes && /\s/.test(char)) {
+    if (!quoteChar && /\s/.test(char)) {
       if (current) {
         args.push(current);
         current = "";
diff --git a/src/daemon/systemd-unit.ts b/src/daemon/systemd-unit.ts
@@ -106,7 +106,8 @@ export function parseSystemdEnvAssignment(raw: string): { key: string; value: st
   }
 
   const unquoted = (() => {
-    if (!(trimmed.startsWith('"') && trimmed.endsWith('"'))) {
+    const quote = trimmed[0];
+    if (!((quote === '"' || quote === "'") && trimmed.endsWith(quote))) {
       return trimmed;
     }
     let out = "";
@@ -139,7 +140,11 @@ export function parseSystemdEnvAssignment(raw: string): { key: string; value: st
 }
 
 export function parseSystemdEnvAssignments(raw: string): Array<{ key: string; value: string }> {
-  return splitArgsPreservingQuotes(raw, { escapeMode: "backslash" }).flatMap((entry) => {
+  return splitArgsPreservingQuotes(raw, {
+    escapeMode: "backslash",
+    quoteChars: ['"', "'"],
+    quoteStart: "item-start",
+  }).flatMap((entry) => {
     const parsed = parseSystemdEnvAssignment(entry);
     return parsed ? [parsed] : [];
   });
diff --git a/src/daemon/systemd.test.ts b/src/daemon/systemd.test.ts
@@ -21,7 +21,7 @@ vi.mock("node:child_process", async () => {
 });
 
 import { splitArgsPreservingQuotes } from "./arg-split.js";
-import { parseSystemdExecStart } from "./systemd-unit.js";
+import { parseSystemdEnvAssignments, parseSystemdExecStart } from "./systemd-unit.js";
 import {
   installSystemdService,
   isNonFatalSystemdInstallProbeError,
@@ -608,6 +608,24 @@ describe("splitArgsPreservingQuotes", () => {
   });
 });
 
+describe("parseSystemdEnvAssignments", () => {
+  it("parses single-quoted whole assignments", () => {
+    expect(
+      parseSystemdEnvAssignments("'OPENCLAW_GATEWAY_TOKEN=single quoted token' FOO=bar"),
+    ).toEqual([
+      { key: "OPENCLAW_GATEWAY_TOKEN", value: "single quoted token" },
+      { key: "FOO", value: "bar" },
+    ]);
+  });
+
+  it("keeps apostrophes inside unquoted assignment values literal", () => {
+    expect(parseSystemdEnvAssignments("FOO=can't OPENCLAW_GATEWAY_TOKEN=token")).toEqual([
+      { key: "FOO", value: "can't" },
+      { key: "OPENCLAW_GATEWAY_TOKEN", value: "token" },
+    ]);
+  });
+});
+
 describe("parseSystemdExecStart", () => {
   it("preserves quoted arguments", () => {
     const execStart = '/usr/bin/openclaw gateway start --name "My Bot"';
@@ -953,6 +971,7 @@ describe("stageSystemdService", () => {
           "ExecStart=/usr/bin/openclaw node run",
           "Environment=FOO=bar OPENCLAW_GATEWAY_TOKEN=inline-token BAZ=qux",
           "Environment=OPENCLAW_GATEWAY_TOKEN=token-only-line",
+          "Environment='OPENCLAW_GATEWAY_TOKEN=single-quoted-token' FROM_SINGLE=kept",
           "Environment=OPENCLAW_GATEWAY_PORT=18789",
         ].join("\n"),
         { encoding: "utf8", mode: 0o600 },
@@ -985,7 +1004,9 @@ describe("stageSystemdService", () => {
       expect(unit).not.toContain("Environment=OPENCLAW_GATEWAY_TOKEN=fresh-token");
       expect(backupUnit).not.toContain("Environment=OPENCLAW_GATEWAY_TOKEN=inline-token");
       expect(backupUnit).not.toContain("Environment=OPENCLAW_GATEWAY_TOKEN=token-only-line");
+      expect(backupUnit).not.toContain("single-quoted-token");
       expect(backupUnit).toContain("Environment=FOO=bar BAZ=qux");
+      expect(backupUnit).toContain("Environment=FROM_SINGLE=kept");
       expect(backupUnit).toContain("Environment=OPENCLAW_GATEWAY_PORT=18789");
       expect(backupStat.mode & 0o777).toBe(0o600);
     });
diff --git a/src/daemon/systemd.ts b/src/daemon/systemd.ts
@@ -812,7 +812,7 @@ async function writeSystemdGatewayEnvironmentFile(params: {
       continue;
     }
     try {
-      existing = { ...existing, ...(await readSystemdEnvironmentFile(sourceEnvFilePath)) };
+      Object.assign(existing, await readSystemdEnvironmentFile(sourceEnvFilePath));
     } catch {
       // File does not exist yet — nothing to preserve.
     }

Original file line number	Diff line number	Diff line change
`@@ -812,7 +812,7 @@ async function writeSystemdGatewayEnvironmentFile(params: {`
`812`	`812`	`continue;`
`813`	`813`	`}`
`814`	`814`	`try {`
`815`		`- existing = { ...existing, ...(await readSystemdEnvironmentFile(sourceEnvFilePath)) };`
	`815`	`+ Object.assign(existing, await readSystemdEnvironmentFile(sourceEnvFilePath));`
`816`	`816`	`} catch {`
`817`	`817`	`// File does not exist yet — nothing to preserve.`
`818`	`818`	`}`