Skip to content

fix(s3): drop {env, _} tag from access_key/secret_key#2

Merged
Taure merged 1 commit into
mainfrom
fix/secret-resolution
May 19, 2026
Merged

fix(s3): drop {env, _} tag from access_key/secret_key#2
Taure merged 1 commit into
mainfrom
fix/secret-resolution

Conversation

@Taure
Copy link
Copy Markdown
Contributor

@Taure Taure commented May 19, 2026

Summary

The S3 adapter's access_key and secret_key accepted a tagged tuple {env, "VAR"} to look up credentials from the OS environment. Tagged-tuple config keys are uncommon in Erlang and added a small DSL with no benefit over passing the env-var name directly.

Change

- access_key => {env, "S3_ACCESS_KEY"},
- secret_key => {env, "S3_SECRET_KEY"}
+ access_key => "S3_ACCESS_KEY",
+ secret_key => "S3_SECRET_KEY"

The adapter resolves the name to its env-var value at store-init time. Same lazy-lookup semantics, simpler config shape.

Breaking?

Technically yes for anyone on v0.1.0, but the lib is hours old with no consumers. Tagging v0.1.1 after merge.

Test plan

  • rebar3 compile clean
  • rebar3 ct — 16/16 pass
  • rebar3 dialyzer clean
  • rebar3 xref clean
  • rebar3 fmt --check clean

@Taure
fix(s3): drop {env, _} tagged tuple from access_key/secret_key
d803a91 
access_key and secret_key now accept the env-var name as a string directly,
matching idiomatic Erlang config patterns. The tagged-tuple form was an
uncommon shape that added a small DSL with no benefit over passing the
name directly.

Before:
  access_key => {env, "S3_ACCESS_KEY"}

After:
  access_key => "S3_ACCESS_KEY"
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

ℹ️ 15 OTP CVEs auto-ignored (already fixed in running version)

These CVEs are patched in the installed OTP version but NVD data
has not been updated to reflect this. They are excluded from the
scan via an auto-generated .trivyignore.

CVE Details
CVE-2026-32147 Fixed in 28.4.3, running 28.5 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in SFTP chroot
CVE-2026-28808 Fixed in 28.4.2, running 28.5 — ScriptAlias CGI targets bypass directory auth (mod_auth vs mod_cgi path mismatch)
CVE-2026-32144 Fixed in 28.4.2, running 28.5 — OCSP designated-responder authorization bypass — missing signature verification (RFC 6960 §4.2.2.2)
CVE-2026-28810 Fixed in 28.4.2, running 28.5 — Predictable DNS Transaction IDs Enable Cache Poisoning in Built-in Resolver
CVE-2026-23943 Fixed in 28.4.1, running 28.5 — Pre-auth SSH DoS via unbounded zlib inflate
CVE-2026-23942 Fixed in 28.4.1, running 28.5 — SFTP root escape via component-agnostic prefix check in ssh_sftpd
CVE-2026-23941 Fixed in 28.4.1, running 28.5 — Request smuggling via first-wins Content-Length parsing in inets httpd
CVE-2026-21620 Fixed in 28.3.2, running 28.5 — TFTP Path Traversal
CVE-2016-1000107 Fixed in 28.0.4, running 28.5 — Httpd CGI Scripts Environment Variable Pollution AKA "httpoxy"
CVE-2025-58050 Fixed in 28.0.3, running 28.5 — Buffer Read Overflow on Regular Expressions with (*scs:) and (*ACCEPT)
CVE-2025-48038 Fixed in 28.0.3, running 28.5 — SSH Unverified File Handles can Cause Excessive Use of System Resources
CVE-2025-48039 Fixed in 28.0.3, running 28.5 — SSH Unverified Paths can Cause Excessive Use of System Resources
CVE-2025-48040 Fixed in 28.0.3, running 28.5 — SSH Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
CVE-2025-48041 Fixed in 28.0.3, running 28.5 — SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
CVE-2025-4748 Fixed in 28.0.1, running 28.5 — Absolute Path in Zip Module

@Taure Taure merged commit 2c85cab into main May 19, 2026
16 checks passed
@Taure Taure deleted the fix/secret-resolution branch May 19, 2026 21:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Taure