From 169e3134f83fce70fa1a46ff0a8432b1d8b867bd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 23 Apr 2026 11:54:58 +0000
Subject: [PATCH] fix(fireflyiii): address review feedback - no password
 logging, safe CREATE DATABASE, DB name validation, v6.5.10

Agent-Logs-Url: https://github.com/alexbelgium/hassio-addons/sessions/3edc7858-637d-40e0-849a-4d525187396d

Co-authored-by: alexbelgium <44178713+alexbelgium@users.noreply.github.com>
---
 fireflyiii/CHANGELOG.md                     |  5 +++++
 fireflyiii/config.yaml                      |  2 +-
 fireflyiii/rootfs/etc/cont-init.d/99-run.sh | 18 +++++++++++++-----
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/fireflyiii/CHANGELOG.md b/fireflyiii/CHANGELOG.md
index 32c2d0391..64b015523 100644
--- a/fireflyiii/CHANGELOG.md
+++ b/fireflyiii/CHANGELOG.md
@@ -1,4 +1,9 @@
 
+## 6.5.10 (2026-04-23)
+- Fix: use service discovery credentials for CREATE DATABASE bootstrap (prevents failure when user-specified credentials lack CREATE privilege)
+- Fix: validate DB_DATABASE name to prevent SQL injection in bootstrap SQL statement
+- Fix: DB_PASSWORD is no longer logged to addon logs
+
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
 - Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials
diff --git a/fireflyiii/config.yaml b/fireflyiii/config.yaml
index f16e761fb..1ca3ffda3 100644
--- a/fireflyiii/config.yaml
+++ b/fireflyiii/config.yaml
@@ -104,5 +104,5 @@ slug: fireflyiii
 startup: services
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "6.5.9"
+version: "6.5.10"
 webui: "[PROTO:ssl]://[HOST]:[PORT:8080]"
diff --git a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
index 5c9ecfb59..d8be95a51 100755
--- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
+++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
@@ -91,9 +91,17 @@ case $(bashio::config 'DB_CONNECTION') in
         DB_HOST=$(bashio::services "mysql" "host")
         DB_PORT=$(bashio::services "mysql" "port")
 
+        # Always fetch service discovery credentials for bootstrap operations (CREATE DATABASE)
+        BOOTSTRAP_USERNAME=$(bashio::services "mysql" "username")
+        BOOTSTRAP_PASSWORD=$(bashio::services "mysql" "password")
+
         # Use user-configured database name if provided, otherwise default to 'firefly'
         if bashio::config.has_value "DB_DATABASE"; then
             DB_DATABASE=$(bashio::config "DB_DATABASE")
+            # Validate: only allow alphanumeric, underscore, and dash
+            if [[ ! "$DB_DATABASE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+                bashio::exit.nok "DB_DATABASE contains invalid characters. Only alphanumeric, underscore, and dash are allowed."
+            fi
         else
             DB_DATABASE=firefly
         fi
@@ -102,12 +110,12 @@ case $(bashio::config 'DB_CONNECTION') in
         if bashio::config.has_value "DB_USERNAME"; then
             DB_USERNAME=$(bashio::config "DB_USERNAME")
         else
-            DB_USERNAME=$(bashio::services "mysql" "username")
+            DB_USERNAME=${BOOTSTRAP_USERNAME}
         fi
         if bashio::config.has_value "DB_PASSWORD"; then
             DB_PASSWORD=$(bashio::config "DB_PASSWORD")
         else
-            DB_PASSWORD=$(bashio::services "mysql" "password")
+            DB_PASSWORD=${BOOTSTRAP_PASSWORD}
         fi
 
         export DB_CONNECTION
@@ -115,17 +123,17 @@ case $(bashio::config 'DB_CONNECTION') in
         export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
         export DB_DATABASE && bashio::log.blue "DB_DATABASE=$DB_DATABASE"
         export DB_USERNAME && bashio::log.blue "DB_USERNAME=$DB_USERNAME"
-        export DB_PASSWORD && bashio::log.blue "DB_PASSWORD=$DB_PASSWORD"
+        export DB_PASSWORD  # do not log password
 
         bashio::log.warning "Firefly-iii is using the Maria DB addon"
         bashio::log.warning "Please ensure this is included in your backups"
         bashio::log.warning "Uninstalling the MariaDB addon will remove any data"
 
         bashio::log.info "Creating database for Firefly-iii if required"
-        # Create database without SSL requirement
+        # Create database using service discovery credentials which have CREATE privilege
         mysql \
             --skip-ssl \
-            -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
+            -u "${BOOTSTRAP_USERNAME}" -p"${BOOTSTRAP_PASSWORD}" \
             -h "${DB_HOST}" -P "${DB_PORT}" \
             -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
         ;;