From 2d784fc74af668948cc18cb2a7a37de395fd97a8 Mon Sep 17 00:00:00 2001
From: kfox1111 <Kevin.Fox@pnnl.gov>
Date: Thu, 17 Oct 2024 14:31:37 -0700
Subject: [PATCH] Allow escaping $ in config files that use expand env (#5576)

* Allow escaping $ in config files that use expand env

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
---
 cmd/spire-agent/cli/run/run.go  |  3 ++-
 cmd/spire-server/cli/run/run.go |  3 ++-
 pkg/common/config/config.go     | 14 ++++++++++++++
 3 files changed, 18 insertions(+), 2 deletions(-)
 create mode 100644 pkg/common/config/config.go

diff --git a/cmd/spire-agent/cli/run/run.go b/cmd/spire-agent/cli/run/run.go
index ccd309f223..609788b1be 100644
--- a/cmd/spire-agent/cli/run/run.go
+++ b/cmd/spire-agent/cli/run/run.go
@@ -32,6 +32,7 @@ import (
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
 	"github.com/spiffe/spire/pkg/common/idutil"
@@ -301,7 +302,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {
 
 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}
 
 	if err := hcl.Decode(&c, data); err != nil {
diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go
index 6734190c59..97804a41b9 100644
--- a/cmd/spire-server/cli/run/run.go
+++ b/cmd/spire-server/cli/run/run.go
@@ -30,6 +30,7 @@ import (
 	"github.com/spiffe/spire/pkg/common/bundleutil"
 	"github.com/spiffe/spire/pkg/common/catalog"
 	common_cli "github.com/spiffe/spire/pkg/common/cli"
+	"github.com/spiffe/spire/pkg/common/config"
 	"github.com/spiffe/spire/pkg/common/diskcertmanager"
 	"github.com/spiffe/spire/pkg/common/fflag"
 	"github.com/spiffe/spire/pkg/common/health"
@@ -316,7 +317,7 @@ func ParseFile(path string, expandEnv bool) (*Config, error) {
 
 	// If envTemplate flag is passed, substitute $VARIABLES in configuration file
 	if expandEnv {
-		data = os.ExpandEnv(data)
+		data = config.ExpandEnv(data)
 	}
 
 	if err := hcl.Decode(&c, data); err != nil {
diff --git a/pkg/common/config/config.go b/pkg/common/config/config.go
new file mode 100644
index 0000000000..1e6211fd55
--- /dev/null
+++ b/pkg/common/config/config.go
@@ -0,0 +1,14 @@
+package config
+
+import (
+	"os"
+)
+
+func ExpandEnv(data string) string {
+	return os.Expand(data, func(key string) string {
+		if key == "$" {
+			return "$"
+		}
+		return os.Getenv(key)
+	})
+}