CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 03:35:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): shell injection in bin/ scripts — use env vars instead of interpolation

Browse Source 
gstack-settings-hook interpolated $SETTINGS_FILE directly into bun -e
double-quoted blocks. A path containing quotes or backticks breaks the JS
string context, enabling arbitrary code execution.

Replace direct interpolation with environment variables (process.env).
Same fix applied to gstack-team-init which had the same pattern.

Systematic audit confirmed only these two scripts were vulnerable — all
other bin/ scripts already use stdin piping or env vars.

Closes #858

Co-Authored-By: Gus <garagon@users.noreply.github.com>
This commit is contained in:
Garry Tan
2026-04-13 09:33:01 -07:00
parent 4b9fb4a3db
commit ffb56b556d
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/gstack-settings-hook
+5 -5
View File
@@ -26,10 +26,10 @@ fi
case "$ACTION" in
add)
bun -e "
GSTACK_SETTINGS_PATH="$SETTINGS_FILE" GSTACK_HOOK_CMD="$HOOK_CMD" bun -e "
const fs = require('fs');
const settingsPath = '$SETTINGS_FILE';
const hookCmd = $(printf '%s' "$HOOK_CMD" | bun -e "process.stdout.write(JSON.stringify(require('fs').readFileSync('/dev/stdin','utf8')))");
const settingsPath = process.env.GSTACK_SETTINGS_PATH;
const hookCmd = process.env.GSTACK_HOOK_CMD;
let settings = {};
try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch {}
@@ -55,9 +55,9 @@ case "$ACTION" in
;;
remove)
[ -f "$SETTINGS_FILE" ] || exit 0
bun -e "
GSTACK_SETTINGS_PATH="$SETTINGS_FILE" bun -e "
const fs = require('fs');
const settingsPath = '$SETTINGS_FILE';
const settingsPath = process.env.GSTACK_SETTINGS_PATH;
let settings = {};
try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch { process.exit(0); }
bin/gstack-team-init
+2 -2
View File
@@ -139,9 +139,9 @@ HOOK_EOF
# Add hook to project-level settings.json
if command -v bun >/dev/null 2>&1; then
bun -e "
GSTACK_SETTINGS_PATH="$SETTINGS" bun -e "
const fs = require('fs');
const settingsPath = '$SETTINGS';
const settingsPath = process.env.GSTACK_SETTINGS_PATH;
let settings = {};
try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch {}