fix: handle control characters in secrets during env substitution (#29)

Author: subhashkhileri

docs/changelog.md

@@ -2,7 +2,17 @@
 
 All notable changes to this project will be documented in this file.
 
-## [1.1.6] - Current
+## [1.1.7] - Current
+
+### Fixed
+- **Secrets with control characters**: Fixed `SyntaxError: Bad control character in string literal` when secrets contain newlines or special characters (e.g., GitHub App private keys)
+  - Replaced `JSON.parse(envsubst(JSON.stringify(obj)))` approach with `lodash.clonedeepwith` for safe environment variable substitution
+  - Now correctly handles private keys, tabs, carriage returns, and other control characters in secret values
+
+### Dependencies
+- Added `lodash.clonedeepwith@^4.5.0` for safe deep object traversal with custom value substitution
+
+## [1.1.6]
 
 ### Added
 - **"next" tag support**: Both Helm and Operator deployments now support `RHDH_VERSION=next`

package.json

@@ -1,6 +1,6 @@
 {
   "name": "rhdh-e2e-test-utils",
-  "version": "1.1.6",
+  "version": "1.1.7",
   "description": "Test utilities for RHDH E2E tests",
   "license": "Apache-2.0",
   "type": "module",
@@ -74,6 +74,7 @@
     "@playwright/test": "^1.57.0",
     "@types/fs-extra": "^11.0.4",
     "@types/js-yaml": "^4.0.9",
+    "@types/lodash.clonedeepwith": "^4.5.9",
     "@types/lodash.mergewith": "^4.6.9",
     "@types/node": "^24.10.1"
   },
@@ -87,6 +88,7 @@
     "eslint-plugin-playwright": "^2.4.0",
     "fs-extra": "^11.3.2",
     "js-yaml": "^4.1.1",
+    "lodash.clonedeepwith": "^4.5.0",
     "lodash.mergewith": "^4.6.2",
     "otplib": "12.0.1",
     "prettier": "^3.7.4",

src/deployment/rhdh/deployment.ts

@@ -8,6 +8,7 @@ import {
   generateDynamicPluginsConfigFromMetadata,
 } from "../../utils/plugin-metadata.js";
 import { envsubst } from "../../utils/common.js";
+import cloneDeepWith from "lodash.clonedeepwith";
 import fs from "fs-extra";
 import {
   DEFAULT_CONFIG_PATHS,
@@ -81,9 +82,15 @@ export class RHDHDeployment {
       this.deploymentConfig.secrets,
     ]);
 
+    // Use cloneDeepWith to substitute env vars in-place, avoiding JSON.parse issues
+    // with control characters in secrets (e.g., private keys with newlines)
+    const substituted = cloneDeepWith(secretsYaml, (value: unknown) => {
+      if (typeof value === "string") return envsubst(value);
+    });
+
     await this.k8sClient.applySecretFromObject(
       "rhdh-secrets",
-      JSON.parse(envsubst(JSON.stringify(secretsYaml))),
+      substituted as { stringData?: Record<string, string> },
       this.deploymentConfig.namespace,
     );
   }

yarn.lock

@@ -362,6 +362,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/lodash.clonedeepwith@npm:^4.5.9":
+  version: 4.5.9
+  resolution: "@types/lodash.clonedeepwith@npm:4.5.9"
+  dependencies:
+    "@types/lodash": "*"
+  checksum: c690fb28126f7248894f08abe13d6c7684dd0a4e9ac545a419a8687438b50d2e6fe32b31176c65a394d3ade4fd16a145ecbf77e7521992414bf657b8b1d936c8
+  languageName: node
+  linkType: hard
+
 "@types/lodash.mergewith@npm:^4.6.9":
   version: 4.6.9
   resolution: "@types/lodash.mergewith@npm:4.6.9"
@@ -1642,6 +1651,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"lodash.clonedeepwith@npm:^4.5.0":
+  version: 4.5.0
+  resolution: "lodash.clonedeepwith@npm:4.5.0"
+  checksum: 9fbf4ebfa04b381df226a2298eba680327bea3d0d5d19c5118de7ae218fd219186e30e9fd0d33b13729f34ffbc83c1cf09cb27aff265ba94cb602b8a2b1e71c9
+  languageName: node
+  linkType: hard
+
 "lodash.merge@npm:^4.6.2":
   version: 4.6.2
   resolution: "lodash.merge@npm:4.6.2"
@@ -2128,13 +2144,15 @@ __metadata:
     "@playwright/test": ^1.57.0
     "@types/fs-extra": ^11.0.4
     "@types/js-yaml": ^4.0.9
+    "@types/lodash.clonedeepwith": ^4.5.9
     "@types/lodash.mergewith": ^4.6.9
     "@types/node": ^24.10.1
     eslint: ^9.39.1
     eslint-plugin-check-file: ^3.3.1
     eslint-plugin-playwright: ^2.4.0
     fs-extra: ^11.3.2
     js-yaml: ^4.1.1
+    lodash.clonedeepwith: ^4.5.0
     lodash.mergewith: ^4.6.2
     otplib: 12.0.1
     prettier: ^3.7.4