CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-07 05:56:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden gstack-slug against shell injection via eval

Browse Source 
Whitelist safe characters (a-zA-Z0-9._-) in SLUG and BRANCH output
to prevent shell metacharacter injection when used with eval.

Only affects self-hosted git servers with lax naming rules — GitHub
and GitLab enforce safe characters already. Defense-in-depth.
This commit is contained in:
Tyrone Robb
2026-03-18 09:09:50 +00:00
parent 716e4c934a
commit 02c76d3e8c
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/gstack-slug
+4 -2
View File
@@ -3,7 +3,9 @@
# Usage: eval $(gstack-slug) → sets SLUG and BRANCH variables
# Or: gstack-slug → prints SLUG=... and BRANCH=... lines
set -euo pipefail
SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-')
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-')
# tr -cd strips any shell metacharacters (;$`|&! etc) from git-derived values
# to prevent injection via eval $(gstack-slug). See: #133
SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-' | tr -cd 'a-zA-Z0-9._-')
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-' | tr -cd 'a-zA-Z0-9._-')
echo "SLUG=$SLUG"
echo "BRANCH=$BRANCH"