From 1260a6743ef3e80e4caa8da089a1219c6572d58b Mon Sep 17 00:00:00 2001
From: toller892 <toller892@gmail.com>
Date: Tue, 2 Jun 2026 00:56:26 +0800
Subject: [PATCH] fix: allow CLI flags to override config file settings with
 empty values

When a user passes --encrypted-regex='' on the command line, the intent
is to unset the config file's encrypted_regex setting. Previously, the
code checked if the CLI value was empty and fell back to the config,
making it impossible to override config settings with empty strings.

Use cli.Context.IsSet() to distinguish 'flag not provided' from 'flag
explicitly set to empty string'. This applies to all six suffix/regex
flags: encrypted-suffix, unencrypted-suffix, encrypted-regex,
unencrypted-regex, encrypted-comment-regex, unencrypted-comment-regex.

Fixes #617
---
 cmd/sops/main.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/cmd/sops/main.go b/cmd/sops/main.go
index 330c3bc8eb..cc6976359a 100644
--- a/cmd/sops/main.go
+++ b/cmd/sops/main.go
@@ -2125,23 +2125,26 @@ func getEncryptConfig(c *cli.Context, fileName string, inputStore common.Store,
 		}
 	}
 	if optionalConfig != nil {
-		// command line options have precedence
-		if unencryptedSuffix == "" {
+		// command line options have precedence over config file settings.
+		// Use IsSet to distinguish "flag not provided" from "flag explicitly
+		// set to empty string", so that --encrypted-regex="" properly
+		// overrides a config file value (fixes #617).
+		if !c.IsSet("unencrypted-suffix") && unencryptedSuffix == "" {
 			unencryptedSuffix = optionalConfig.UnencryptedSuffix
 		}
-		if encryptedSuffix == "" {
+		if !c.IsSet("encrypted-suffix") && encryptedSuffix == "" {
 			encryptedSuffix = optionalConfig.EncryptedSuffix
 		}
-		if encryptedRegex == "" {
+		if !c.IsSet("encrypted-regex") && encryptedRegex == "" {
 			encryptedRegex = optionalConfig.EncryptedRegex
 		}
-		if unencryptedRegex == "" {
+		if !c.IsSet("unencrypted-regex") && unencryptedRegex == "" {
 			unencryptedRegex = optionalConfig.UnencryptedRegex
 		}
-		if encryptedCommentRegex == "" {
+		if !c.IsSet("encrypted-comment-regex") && encryptedCommentRegex == "" {
 			encryptedCommentRegex = optionalConfig.EncryptedCommentRegex
 		}
-		if unencryptedCommentRegex == "" {
+		if !c.IsSet("unencrypted-comment-regex") && unencryptedCommentRegex == "" {
 			unencryptedCommentRegex = optionalConfig.UnencryptedCommentRegex
 		}
 		if !macOnlyEncrypted {