fix(coderd/templatebuilder): auto-quote string variable values for HCL

jeremyruppel · jeremyruppel · commit 8868d03ce592 · 2026-06-16T19:36:41.000Z
The backend now accepts raw string values from callers (e.g. "anthropic")
and wraps them in HCL quotes automatically via hclQuote(). Previously
callers were required to send pre-quoted HCL literals, which is not a
reasonable API contract for frontend consumers.

- validateStringValue now validates raw strings (rejects interpolation
  and overlong values)
- toHCLLiteral wraps string values in quotes with proper escaping
- hclQuote handles backslash, quote, newline, and carriage return escaping
- null is passed through unquoted for all types
diff --git a/coderd/templatebuilder/compose.go b/coderd/templatebuilder/compose.go
@@ -245,15 +245,17 @@ func mergeModuleVariables(manifest ModuleManifest, callerVars map[string]string)
 		// missingkey=error surfaces the omission at render time.
 	}
 
-	// Overlay validated caller values.
+	// Overlay validated caller values, converting to HCL literals.
 	for k, val := range callerVars {
-		merged[k] = val
+		merged[k] = toHCLLiteral(allowedVars[k], val)
 	}
 	return merged, nil
 }
 
-// validateVariableValue checks that value is a valid HCL literal for the
-// variable's declared type. The literal "null" is accepted for any type.
+// validateVariableValue checks that the caller-supplied value is valid for
+// the variable's declared type. String values are plain text (not
+// pre-quoted); quoting for HCL happens later in toHCLLiteral.
+// The literal "null" is accepted for any type.
 func validateVariableValue(v ModuleVariable, value string) error {
 	if value == "null" {
 		return nil
@@ -270,45 +272,55 @@ func validateVariableValue(v ModuleVariable, value string) error {
 	}
 }
 
-// validateStringValue checks that value is a valid quoted HCL string literal.
-// It must start and end with '"', contain no unescaped newlines or quotes,
-// and must not contain HCL interpolation/directive markers.
+// toHCLLiteral converts a validated caller value into an HCL literal.
+// The literal "null" is passed through for any type. Strings are wrapped
+// in quotes with interior characters escaped; bools and numbers are
+// already valid HCL literals.
+func toHCLLiteral(v ModuleVariable, value string) string {
+	if value == "null" {
+		return value
+	}
+	if v.Type == "string" {
+		return hclQuote(value)
+	}
+	return value
+}
+
+// validateStringValue checks that a raw (unquoted) string value is safe
+// to embed in an HCL quoted string. It rejects HCL interpolation/directive
+// markers and values that exceed the maximum length.
 func validateStringValue(value string) error {
 	if len(value) > maxStringValueLen {
 		return xerrors.Errorf("value exceeds maximum length of %d bytes", maxStringValueLen)
 	}
-	if len(value) < 2 || value[0] != '"' || value[len(value)-1] != '"' {
-		return xerrors.New("must be a quoted string (e.g. \"value\")")
-	}
-
-	inner := value[1 : len(value)-1]
-
-	if strings.Contains(inner, "${") || strings.Contains(inner, "%{") {
+	if strings.Contains(value, "${") || strings.Contains(value, "%{") {
 		return xerrors.New("must not contain HCL interpolation or directive sequences")
 	}
+	return nil
+}
 
-	// Walk the inner content to reject unescaped newlines and quotes.
-	for i := 0; i < len(inner); i++ {
-		ch := inner[i]
-		if ch == '\\' {
-			i++
-			if i >= len(inner) {
-				// Trailing backslash with no character to escape.
-				// In HCL this would escape the closing quote delimiter,
-				// producing an unterminated string.
-				return xerrors.New("must not end with a trailing backslash")
-			}
-			continue
-		}
-		if ch == '"' {
-			return xerrors.New("must not contain unescaped quotes")
-		}
-		if ch == '\n' || ch == '\r' {
-			return xerrors.New("must not contain unescaped newlines")
+// hclQuote wraps a raw string in HCL double-quotes, escaping backslashes,
+// double-quotes, and newlines so the result is a valid HCL string literal.
+func hclQuote(s string) string {
+	var b strings.Builder
+	b.Grow(len(s) + 2)
+	_, _ = b.WriteRune('"')
+	for i := 0; i < len(s); i++ {
+		switch s[i] {
+		case '\\':
+			_, _ = b.WriteString("\\\\")
+		case '"':
+			_, _ = b.WriteString("\\\"")
+		case '\n':
+			_, _ = b.WriteString("\\n")
+		case '\r':
+			_, _ = b.WriteString("\\r")
+		default:
+			_ = b.WriteByte(s[i])
 		}
 	}
-
-	return nil
+	_, _ = b.WriteRune('"')
+	return b.String()
 }
 
 // validateNumberValue checks that value is a valid HCL number literal.
diff --git a/coderd/templatebuilder/compose_internal_test.go b/coderd/templatebuilder/compose_internal_test.go
@@ -97,7 +97,7 @@ func TestMergeModuleVariables(t *testing.T) {
 	t.Run("CallerProvidesRequired", func(t *testing.T) {
 		t.Parallel()
 		merged, err := mergeModuleVariables(manifest, map[string]string{
-			"required_no_default": `"value"`,
+			"required_no_default": "value",
 		})
 		require.NoError(t, err)
 		require.Equal(t, `"value"`, merged["required_no_default"])
@@ -153,11 +153,11 @@ func TestMergeModuleVariables(t *testing.T) {
 	t.Run("InvalidStringValueRejected", func(t *testing.T) {
 		t.Parallel()
 		_, err := mergeModuleVariables(manifest, map[string]string{
-			"optional_no_default": "unquoted",
+			"optional_no_default": "${var.foo}",
 		})
 		require.Error(t, err)
 		require.Contains(t, err.Error(), `variable "optional_no_default"`)
-		require.Contains(t, err.Error(), "quoted string")
+		require.Contains(t, err.Error(), "interpolation")
 	})
 
 	t.Run("NullAcceptedForAnyType", func(t *testing.T) {
@@ -189,28 +189,17 @@ func TestValidateStringValue(t *testing.T) {
 		value   string
 		wantErr string
 	}{
-		{"ValidEmpty", `""`, ""},
-		{"ValidSimple", `"hello"`, ""},
-		{"ValidPath", `"/home/coder"`, ""},
-		{"ValidURL", `"https://github.com/coder/coder"`, ""},
-		{"ValidLiteralBackslashN", `"line\\nbreak"`, ""},
-		{"ValidEscapedQuote", `"say \"hi\""`, ""},
-		{"ValidEscapedBackslash", `"path\\to\\file"`, ""},
-
-		{"RejectedUnquoted", "hello", "quoted string"},
-		{"RejectedMissingOpenQuote", `hello"`, "quoted string"},
-		{"RejectedMissingCloseQuote", `"hello`, "quoted string"},
-		{"RejectedEmpty", "", "quoted string"},
-		{"RejectedSingleChar", `"`, "quoted string"},
-		{"RejectedUnescapedNewline", "\"line\nbreak\"", "unescaped newlines"},
-		{"RejectedCarriageReturn", "\"line\rbreak\"", "unescaped newlines"},
-		{"RejectedUnescapedQuote", `"say "hi""`, "unescaped quotes"},
-		{"RejectedHCLInterpolation", `"${var.foo}"`, "interpolation"},
-		{"RejectedHCLDirective", `"%{if true}yes%{endif}"`, "interpolation"},
-		{"RejectedOverlong", `"` + strings.Repeat("a", maxStringValueLen) + `"`, "maximum length"},
-		{"RejectedTrailingBackslash", `"test\"`, "trailing backslash"},
-		{"RejectedTrailingBackslashOnly", `"\"`, "trailing backslash"},
-		{"ValidEvenTrailingBackslashes", `"test\\\\"`, ""},
+		{"ValidEmpty", "", ""},
+		{"ValidSimple", "hello", ""},
+		{"ValidPath", "/home/coder", ""},
+		{"ValidURL", "https://github.com/coder/coder", ""},
+		{"ValidWithQuotes", `say "hi"`, ""},
+		{"ValidWithNewlines", "line\nbreak", ""},
+		{"ValidWithBackslash", `path\to\file`, ""},
+
+		{"RejectedHCLInterpolation", "${var.foo}", "interpolation"},
+		{"RejectedHCLDirective", "%{if true}yes%{endif}", "interpolation"},
+		{"RejectedOverlong", strings.Repeat("a", maxStringValueLen+1), "maximum length"},
 	}
 
 	for _, tc := range tests {
@@ -313,7 +302,7 @@ func TestValidateVariableValue(t *testing.T) {
 	t.Run("UnsupportedTypeRejected", func(t *testing.T) {
 		t.Parallel()
 		v := ModuleVariable{Name: "test", Type: "list"}
-		err := validateVariableValue(v, `"val"`)
+		err := validateVariableValue(v, "val")
 		require.Error(t, err)
 		require.Contains(t, err.Error(), "unsupported variable type")
 	})
diff --git a/coderd/templatebuilder/compose_test.go b/coderd/templatebuilder/compose_test.go
@@ -93,7 +93,7 @@ func TestCompose(t *testing.T) {
 				{
 					ID: "git-clone",
 					Variables: map[string]string{
-						"url": `"https://github.com/coder/coder"`,
+						"url": "https://github.com/coder/coder",
 					},
 				},
 			},
@@ -178,7 +178,7 @@ func TestCompose(t *testing.T) {
 				{
 					ID: "code-server",
 					Variables: map[string]string{
-						"nonexistent_var": `"value"`,
+						"nonexistent_var": "value",
 					},
 				},
 			},
@@ -216,7 +216,7 @@ func TestCompose(t *testing.T) {
 				{
 					ID: "code-server",
 					Variables: map[string]string{
-						"folder": `"${var.evil}"`,
+						"folder": "${var.evil}",
 					},
 				},
 			},
