fix(fireflyiii): address review feedback - no password logging, safe CREATE DATABASE, DB name validation, v6.5.10

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/3edc7858-637d-40e0-849a-4d525187396d

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>

fireflyiii/CHANGELOG.md

@@ -1,4 +1,9 @@
 
+## 6.5.10 (2026-04-23)
+- Fix: use service discovery credentials for CREATE DATABASE bootstrap (prevents failure when user-specified credentials lack CREATE privilege)
+- Fix: validate DB_DATABASE name to prevent SQL injection in bootstrap SQL statement
+- Fix: DB_PASSWORD is no longer logged to addon logs
+
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
 - Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials

fireflyiii/config.yaml

@@ -104,5 +104,5 @@ slug: fireflyiii
 startup: services
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "6.5.9"
+version: "6.5.10"
 webui: "[PROTO:ssl]://[HOST]:[PORT:8080]"

fireflyiii/rootfs/etc/cont-init.d/99-run.sh

@@ -91,9 +91,17 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
 
+        # Always fetch service discovery credentials for bootstrap operations (CREATE DATABASE)
+        BOOTSTRAP_USERNAME=$(bashio::services "mysql" "username")
+        BOOTSTRAP_PASSWORD=$(bashio::services "mysql" "password")
+
         # Use user-configured database name if provided, otherwise default to 'firefly'
         if bashio::config.has_value "DB_DATABASE"; then
             DB_DATABASE=$(bashio::config "DB_DATABASE")
+            # Validate: only allow alphanumeric, underscore, and dash
+            if [[ ! "$DB_DATABASE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+                bashio::exit.nok "DB_DATABASE contains invalid characters. Only alphanumeric, underscore, and dash are allowed."
+            fi
         else
             DB_DATABASE=firefly
         fi
@@ -102,12 +110,12 @@ case $(bashio::config 'DB_CONNECTION') in
         if bashio::config.has_value "DB_USERNAME"; then
             DB_USERNAME=$(bashio::config "DB_USERNAME")
         else
-            DB_USERNAME=$(bashio::services "mysql" "username")
+            DB_USERNAME=${BOOTSTRAP_USERNAME}
         fi
         if bashio::config.has_value "DB_PASSWORD"; then
             DB_PASSWORD=$(bashio::config "DB_PASSWORD")
         else
-            DB_PASSWORD=$(bashio::services "mysql" "password")
+            DB_PASSWORD=${BOOTSTRAP_PASSWORD}
         fi
 
         export DB_CONNECTION
@@ -115,17 +123,17 @@ case $(bashio::config 'DB_CONNECTION') in
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
         export DB_DATABASE && bashio::log.blue "DB_DATABASE=$DB_DATABASE"
         export DB_USERNAME && bashio::log.blue "DB_USERNAME=$DB_USERNAME"
-        export DB_PASSWORD && bashio::log.blue "DB_PASSWORD=$DB_PASSWORD"
+        export DB_PASSWORD  # do not log password
 
         bashio::log.warning "Firefly-iii is using the Maria DB addon"
         bashio::log.warning "Please ensure this is included in your backups"
         bashio::log.warning "Uninstalling the MariaDB addon will remove any data"
 
         bashio::log.info "Creating database for Firefly-iii if required"
-        # Create database without SSL requirement
+        # Create database using service discovery credentials which have CREATE privilege
         mysql \
             --skip-ssl \
-            -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
+            -u "${BOOTSTRAP_USERNAME}" -p"${BOOTSTRAP_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
             -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;