Merge pull request #2663 from alexbelgium/copilot/fix-firefly-access-denied-issue

fix(fireflyiii): respect user-configured DB credentials when using mariadb_addon
2026-04-26 12:21:02 +02:00 · 2026-04-23 14:14:33 +02:00
parent 6b0341b4b2 169e3134f8
commit e365fbe944
4 changed files with 42 additions and 11 deletions
--- a/fireflyiii/CHANGELOG.md
+++ b/fireflyiii/CHANGELOG.md
@@ -1,6 +1,12 @@

+## 6.5.10 (2026-04-23)
+- Fix: use service discovery credentials for CREATE DATABASE bootstrap (prevents failure when user-specified credentials lack CREATE privilege)
+- Fix: validate DB_DATABASE name to prevent SQL injection in bootstrap SQL statement
+- Fix: DB_PASSWORD is no longer logged to addon logs
+
 ## 6.5.9 (2026-03-28)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
+- Fix: mariadb_addon now respects user-configured DB_USERNAME, DB_PASSWORD, and DB_DATABASE options instead of always using service discovery credentials

 ## 6.5.6 (2026-03-21)
 - Update to latest version from firefly-iii/firefly-iii (changelog : https://github.com/firefly-iii/firefly-iii/releases)
--- a/fireflyiii/README.md
+++ b/fireflyiii/README.md
@@ -51,9 +51,9 @@ Configurations can be done through the app webUI, except for the following optio
 | `DB_CONNECTION` | list | `sqlite_internal` | Database type (sqlite_internal/mariadb_addon/mysql/pgsql) |
 | `DB_HOST` | str | | Database host (for external databases) |
 | `DB_PORT` | str | | Database port (for external databases) |
-| `DB_DATABASE` | str | | Database name (for external databases) |
-| `DB_USERNAME` | str | | Database username (for external databases) |
-| `DB_PASSWORD` | str | | Database password (for external databases) |
+| `DB_DATABASE` | str | | Database name (defaults to `firefly` for mariadb_addon) |
+| `DB_USERNAME` | str | | Database username (overrides MariaDB addon service discovery if set) |
+| `DB_PASSWORD` | str | | Database password (overrides MariaDB addon service discovery if set) |
 | `Updates` | list | | Automatic update schedule (hourly/daily/weekly) |
 | `silent` | bool | `true` | Silent mode - set to false for debug info |

--- a/fireflyiii/config.yaml
+++ b/fireflyiii/config.yaml
@@ -104,5 +104,5 @@ slug: fireflyiii
 startup: services
 udev: true
 url: https://github.com/alexbelgium/hassio-addons
-version: "6.5.9"
+version: "6.5.10"
 webui: "[PROTO:ssl]://[HOST]:[PORT:8080]"
--- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
+++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh
@@ -90,27 +90,52 @@ case $(bashio::config 'DB_CONNECTION') in
        DB_CONNECTION=mysql
        DB_HOST=$(bashio::services "mysql" "host")
        DB_PORT=$(bashio::services "mysql" "port")
-        DB_DATABASE=firefly
-        DB_USERNAME=$(bashio::services "mysql" "username")
-        DB_PASSWORD=$(bashio::services "mysql" "password")
+
+        # Always fetch service discovery credentials for bootstrap operations (CREATE DATABASE)
+        BOOTSTRAP_USERNAME=$(bashio::services "mysql" "username")
+        BOOTSTRAP_PASSWORD=$(bashio::services "mysql" "password")
+
+        # Use user-configured database name if provided, otherwise default to 'firefly'
+        if bashio::config.has_value "DB_DATABASE"; then
+            DB_DATABASE=$(bashio::config "DB_DATABASE")
+            # Validate: only allow alphanumeric, underscore, and dash
+            if [[ ! "$DB_DATABASE" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+                bashio::exit.nok "DB_DATABASE contains invalid characters. Only alphanumeric, underscore, and dash are allowed."
+            fi
+        else
+            DB_DATABASE=firefly
+        fi
+
+        # Use user-configured credentials if provided, otherwise use service discovery
+        if bashio::config.has_value "DB_USERNAME"; then
+            DB_USERNAME=$(bashio::config "DB_USERNAME")
+        else
+            DB_USERNAME=${BOOTSTRAP_USERNAME}
+        fi
+        if bashio::config.has_value "DB_PASSWORD"; then
+            DB_PASSWORD=$(bashio::config "DB_PASSWORD")
+        else
+            DB_PASSWORD=${BOOTSTRAP_PASSWORD}
+        fi
+
        export DB_CONNECTION
        export DB_HOST && bashio::log.blue "DB_HOST=$DB_HOST"
        export DB_PORT && bashio::log.blue "DB_PORT=$DB_PORT"
        export DB_DATABASE && bashio::log.blue "DB_DATABASE=$DB_DATABASE"
        export DB_USERNAME && bashio::log.blue "DB_USERNAME=$DB_USERNAME"
-        export DB_PASSWORD && bashio::log.blue "DB_PASSWORD=$DB_PASSWORD"
+        export DB_PASSWORD  # do not log password

        bashio::log.warning "Firefly-iii is using the Maria DB addon"
        bashio::log.warning "Please ensure this is included in your backups"
        bashio::log.warning "Uninstalling the MariaDB addon will remove any data"

        bashio::log.info "Creating database for Firefly-iii if required"
-        # Create database without SSL requirement
+        # Create database using service discovery credentials which have CREATE privilege
        mysql \
            --skip-ssl \
-            -u "${DB_USERNAME}" -p"${DB_PASSWORD}" \
+            -u "${BOOTSTRAP_USERNAME}" -p"${BOOTSTRAP_PASSWORD}" \
            -h "${DB_HOST}" -P "${DB_PORT}" \
-            -e "CREATE DATABASE IF NOT EXISTS \`firefly\`;"
+            -e "CREATE DATABASE IF NOT EXISTS \`${DB_DATABASE}\`;"
        ;;

        # Use remote