CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 11:45:20 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
fd7f30d53aa996cbc11d27220d71829c44b586b5
gstack/bin
T
History
Garry Tan ffb56b556d fix(security): shell injection in bin/ scripts — use env vars instead of interpolation 
gstack-settings-hook interpolated $SETTINGS_FILE directly into bun -e
double-quoted blocks. A path containing quotes or backticks breaks the JS
string context, enabling arbitrary code execution.

Replace direct interpolation with environment variables (process.env).
Same fix applied to gstack-team-init which had the same pattern.

Systematic audit confirmed only these two scripts were vulnerable — all
other bin/ scripts already use stdin piping or env vars.

Closes #858

Co-Authored-By: Gus <garagon@users.noreply.github.com>
2026-04-13 09:33:01 -07:00
..
chrome-cdp
fix: security audit round 2 (v0.13.4.0) (#640)
2026-03-29 22:46:33 -06:00
dev-setup
feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)
2026-03-19 18:20:50 -07:00
dev-teardown
feat: multi-agent support — gstack works on Codex, Gemini CLI, and Cursor (v0.9.0) (#226)
2026-03-19 18:20:50 -07:00
gstack-analytics
feat: opt-in usage telemetry + community intelligence platform (v0.8.6) (#210)
2026-03-19 17:21:05 -07:00
gstack-builder-profile
feat: relationship closing — office-hours adapts to repeat users (v0.16.2.0) (#937)
2026-04-08 22:21:28 -10:00
gstack-community-dashboard
fix: Supabase telemetry security lockdown (v0.11.16.0) (#460)
2026-03-24 15:01:31 -07:00
gstack-config
feat: composable skills — INVOKE_SKILL resolver + factoring infrastructure (v0.13.7.0) (#644)
2026-03-29 23:35:17 -06:00
gstack-diff-scope
feat: Review Army — parallel specialist reviewers for /review (v0.14.3.0) (#692)
2026-03-30 22:07:50 -06:00
gstack-extension
feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517)
2026-03-26 11:15:24 -06:00
gstack-global-discover.ts
refactor: AI slop reduction with cross-model quality review (v0.16.3.0) (#941)
2026-04-10 17:13:15 -10:00
gstack-learnings-log
feat: GStack Learns — per-project self-learning infrastructure (v0.13.4.0) (#622)
2026-03-29 17:02:01 -06:00
gstack-learnings-search
fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847)
2026-04-06 00:47:04 -07:00
gstack-open-url
feat: community wave — 7 fixes, relink, sidebar Write, discoverability (v0.13.5.0) (#641)
2026-03-29 21:43:36 -06:00
gstack-patch-names
fix: ship idempotency + skill prefix name patching (v0.14.3.0) (#693)
2026-03-30 22:25:46 -06:00
gstack-platform-detect
feat: declarative multi-host platform + OpenCode, Slate, Cursor, OpenClaw (v0.15.5.0) (#793)
2026-04-04 15:32:20 -07:00
gstack-relink
fix: top-level skill dirs so Claude discovers unprefixed names (#761)
2026-04-02 18:34:00 -07:00
gstack-repo-mode
feat: test coverage catalog — shared audit across plan/ship/review (v0.10.1.0) (#259)
2026-03-22 11:28:16 -07:00
gstack-review-log
fix: community PRs + security hardening + E2E stability (v0.12.7.0) (#552)
2026-03-26 23:21:27 -06:00
gstack-review-read
fix: gstack-slug bash compatibility — source to eval (#354)
2026-03-22 21:02:01 -07:00
gstack-session-update
feat: team-friendly gstack install mode (v0.15.7.0) (#809)
2026-04-05 23:49:03 -07:00
gstack-settings-hook
fix(security): shell injection in bin/ scripts — use env vars instead of interpolation
2026-04-13 09:33:01 -07:00
gstack-slug
fix: gstack-slug produces deterministic slugs across sessions (#897)
2026-04-07 15:42:13 -10:00
gstack-specialist-stats
feat: adaptive gating + cross-review dedup for review army (v0.15.2.0) (#760)
2026-04-04 22:46:21 -07:00
gstack-team-init
fix(security): shell injection in bin/ scripts — use env vars instead of interpolation
2026-04-13 09:33:01 -07:00
gstack-telemetry-log
fix: security audit remediation — 12 fixes, 20 tests (v0.13.1.0) (#595)
2026-03-28 08:35:24 -06:00
gstack-telemetry-sync
fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847)
2026-04-06 00:47:04 -07:00
gstack-timeline-log
feat: Session Intelligence Layer — /checkpoint + /health + context recovery (v0.15.0.0) (#733)
2026-04-01 00:50:42 -06:00
gstack-timeline-read
feat: Session Intelligence Layer — /checkpoint + /health + context recovery (v0.15.0.0) (#733)
2026-04-01 00:50:42 -06:00
gstack-uninstall
feat: team-friendly gstack install mode (v0.15.7.0) (#809)
2026-04-05 23:49:03 -07:00
gstack-update-check
fix: community PRs + security hardening + E2E stability (v0.12.7.0) (#552)
2026-03-26 23:21:27 -06:00