validate key:rotate inputs upfront and harden .env rewrite

paulbalandan · paulbalandan · commit d2a58ecc8d36 · 2026-05-10T03:18:59.000+08:00
diff --git a/system/Commands/Encryption/RotateKey.php b/system/Commands/Encryption/RotateKey.php
@@ -122,6 +122,14 @@ protected function execute(array $arguments, array $options): int
             return EXIT_ERROR;
         }
 
+        $length = $options['length'];
+
+        if (! is_numeric($length) || (int) $length < 1) {
+            CLI::error('The --length option must be a positive integer.');
+
+            return EXIT_ERROR;
+        }
+
         $previousKeys = $this->mergePreviousKeys($currentKey, $this->parsePreviousKeys(), (int) $keep);
 
         // Write previousKeys first. If the subsequent `key:generate` call fails,
@@ -257,30 +265,35 @@ private function writePreviousKeys(array $previousKeys): bool
             return false;
         }
 
-        $contents    = (string) file_get_contents($envFile);
-        $value       = implode(',', $previousKeys);
-        $replacement = "\nencryption.previousKeys = {$value}";
-
-        if (! str_contains($contents, 'encryption.previousKeys')) {
-            // Insert right after the `encryption.key` line so the two stay grouped.
-            $injected = (string) preg_replace(
-                '/^([#\s]*encryption\.key[=\s]*[^\r\n]*)$/m',
-                '$1' . $replacement,
-                $contents,
-                1,
-            );
+        $contents = (string) file_get_contents($envFile);
+        $value    = implode(',', $previousKeys);
+
+        // Match an actual setting line, not a substring buried in a comment. The optional
+        // `export` prefix mirrors what DotEnv accepts.
+        $previousKeysPattern = '/^(\h*(?:export\h+)?encryption\.previousKeys\h*=\h*)[^\r\n]*$/m';
+
+        if (preg_match($previousKeysPattern, $contents) === 1) {
+            $contents = (string) preg_replace($previousKeysPattern, '$1' . $value, $contents, 1);
 
-            // The append fallback shouldn't trigger because `key:generate` writes
-            // the `encryption.key` line just before this method runs.
-            return file_put_contents($envFile, $injected !== $contents ? $injected : $contents . $replacement) !== false;
+            return file_put_contents($envFile, $contents) !== false;
         }
 
-        $contents = (string) preg_replace(
-            '/^[#\s]*encryption\.previousKeys[=\s]*[^\r\n]*$/m',
-            trim($replacement),
+        // Insert right after the `encryption.key` line so the two stay grouped.
+        $injected = (string) preg_replace(
+            '/^(\h*(?:export\h+)?encryption\.key\h*=\h*[^\r\n]*)$/m',
+            "$1\nencryption.previousKeys = {$value}",
             $contents,
+            1,
         );
 
-        return file_put_contents($envFile, $contents) !== false;
+        if ($injected === $contents) {
+            // @codeCoverageIgnoreStart
+            // Fallback: append to the end. Shouldn't trigger because `key:generate`
+            // writes the `encryption.key` line just before this method runs.
+            $injected = $contents . "\nencryption.previousKeys = {$value}";
+            // @codeCoverageIgnoreEnd
+        }
+
+        return file_put_contents($envFile, $injected) !== false;
     }
 }
diff --git a/tests/system/Commands/Encryption/RotateKeyTest.php b/tests/system/Commands/Encryption/RotateKeyTest.php
@@ -397,6 +397,125 @@ public function testRotateRejectsNonNumericKeepValue(): void
         $this->assertSame(self::SEED_KEY, env('encryption.key'));
     }
 
+    public function testRotateRejectsNegativeLengthValue(): void
+    {
+        $this->seedEnv(self::SEED_KEY);
+        $envContentsBefore = (string) file_get_contents($this->envPath);
+
+        command('key:rotate --force --length=-1');
+
+        $this->assertSame(
+            <<<'EOT'
+
+                The --length option must be a positive integer.
+
+                EOT,
+            $this->getUndecoratedBuffer(),
+        );
+        $this->assertSame(self::SEED_KEY, env('encryption.key'));
+        $this->assertSame(
+            $envContentsBefore,
+            (string) file_get_contents($this->envPath),
+            'Validation must reject the run before any .env mutation.',
+        );
+    }
+
+    public function testRotateRejectsZeroLengthValue(): void
+    {
+        $this->seedEnv(self::SEED_KEY);
+        $envContentsBefore = (string) file_get_contents($this->envPath);
+
+        command('key:rotate --force --length=0');
+
+        $this->assertSame(
+            <<<'EOT'
+
+                The --length option must be a positive integer.
+
+                EOT,
+            $this->getUndecoratedBuffer(),
+        );
+        $this->assertSame(self::SEED_KEY, env('encryption.key'));
+        $this->assertSame($envContentsBefore, (string) file_get_contents($this->envPath));
+    }
+
+    public function testRotateRejectsNonNumericLengthValue(): void
+    {
+        $this->seedEnv(self::SEED_KEY);
+        $envContentsBefore = (string) file_get_contents($this->envPath);
+
+        command('key:rotate --force --length=abc');
+
+        $this->assertSame(
+            <<<'EOT'
+
+                The --length option must be a positive integer.
+
+                EOT,
+            $this->getUndecoratedBuffer(),
+        );
+        $this->assertSame(self::SEED_KEY, env('encryption.key'));
+        $this->assertSame($envContentsBefore, (string) file_get_contents($this->envPath));
+    }
+
+    public function testRotateIgnoresCommentMentioningPreviousKeysWhenInserting(): void
+    {
+        $envContents = "# encryption.previousKeys is for decryption fallback\nencryption.key = " . self::SEED_KEY . "\n";
+        file_put_contents($this->envPath, $envContents);
+        $this->resetEnvironment();
+        (new DotEnv(ROOTPATH))->load();
+
+        command('key:rotate --force');
+
+        $contents = (string) file_get_contents($this->envPath);
+        $this->assertMatchesRegularExpression(
+            '/^encryption\.previousKeys = ' . preg_quote(self::SEED_KEY, '/') . '$/m',
+            $contents,
+            'A real `encryption.previousKeys` setting must be written even when a comment mentions the name.',
+        );
+        $this->assertSame(self::SEED_KEY, env('encryption.previousKeys'));
+    }
+
+    public function testRotateReplacesPreviousKeysLineWithExportPrefix(): void
+    {
+        $existing    = 'hex2bin:' . str_repeat('a', 64);
+        $envContents = 'encryption.key = ' . self::SEED_KEY . "\nexport encryption.previousKeys = {$existing}\n";
+        file_put_contents($this->envPath, $envContents);
+        $this->resetEnvironment();
+        (new DotEnv(ROOTPATH))->load();
+
+        command('key:rotate --force');
+
+        $contents = (string) file_get_contents($this->envPath);
+        $this->assertMatchesRegularExpression(
+            '/^export encryption\.previousKeys = ' . preg_quote(self::SEED_KEY . ',' . $existing, '/') . '$/m',
+            $contents,
+            'The existing `export` prefix should be preserved and the value rewritten.',
+        );
+        $this->assertSame(
+            self::SEED_KEY . ',' . $existing,
+            env('encryption.previousKeys'),
+        );
+    }
+
+    public function testRotateInsertsAfterExportPrefixedEncryptionKey(): void
+    {
+        $envContents = 'export encryption.key = ' . self::SEED_KEY . "\n";
+        file_put_contents($this->envPath, $envContents);
+        $this->resetEnvironment();
+        (new DotEnv(ROOTPATH))->load();
+
+        command('key:rotate --force');
+
+        $contents = (string) file_get_contents($this->envPath);
+        $this->assertMatchesRegularExpression(
+            '/^export encryption\.key = hex2bin:[a-f0-9]{64}\nencryption\.previousKeys = ' . preg_quote(self::SEED_KEY, '/') . '$/m',
+            $contents,
+            '`encryption.previousKeys` should be inserted on the line directly after an `export`-prefixed `encryption.key`.',
+        );
+        $this->assertSame(self::SEED_KEY, env('encryption.previousKeys'));
+    }
+
     public function testRotateErrorsWhenEnvFileIsNotWritable(): void
     {
         $this->seedEnv(self::SEED_KEY);
diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst
@@ -242,13 +242,16 @@ The command reads ``encryption.key`` from your environment, prepends it to
 ``encryption.previousKeys`` (newest first, deduplicated), and writes a fresh ``encryption.key``.
 Useful options:
 
-- ``--prefix`` (``hex2bin`` or ``base64``, default ``hex2bin``) and ``--length`` (default ``32``)
-  control how the new key is generated, mirroring ``key:generate``.
+- ``--prefix`` (``hex2bin`` or ``base64``, default ``hex2bin``) and ``--length`` (positive
+  integer, default ``32``) control how the new key is generated, mirroring ``key:generate``.
 - ``--keep=N`` caps the retained ``previousKeys`` list to the ``N`` most recent entries. ``N`` must
   be a non-negative integer; ``0`` (the default) keeps every previous key.
 - ``--force`` / ``-f`` skips the interactive confirmation. Required when running with
   ``--no-interaction``.
 
+All three options are validated up-front, so an invalid value cannot leave the **.env** file
+half-rotated.
+
 Padding
 =======
 
