CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-06 13:45:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): shell injection in bin/ scripts — use env vars instead of interpolation

Browse Source 
gstack-settings-hook interpolated $SETTINGS_FILE directly into bun -e
double-quoted blocks. A path containing quotes or backticks breaks the JS
string context, enabling arbitrary code execution.

Replace direct interpolation with environment variables (process.env).
Same fix applied to gstack-team-init which had the same pattern.

Systematic audit confirmed only these two scripts were vulnerable — all
other bin/ scripts already use stdin piping or env vars.

Closes #858

Co-Authored-By: Gus <garagon@users.noreply.github.com>
This commit is contained in:
Garry Tan
2026-04-13 09:33:01 -07:00
parent 4b9fb4a3db
commit ffb56b556d
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
bin/gstack-team-init
+2 -2
View File
@@ -139,9 +139,9 @@ HOOK_EOF
# Add hook to project-level settings.json
if command -v bun >/dev/null 2>&1; then
bun -e "
GSTACK_SETTINGS_PATH="$SETTINGS" bun -e "
const fs = require('fs');
const settingsPath = '$SETTINGS';
const settingsPath = process.env.GSTACK_SETTINGS_PATH;
let settings = {};
try { settings = JSON.parse(fs.readFileSync(settingsPath, 'utf8')); } catch {}