hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-21 12:18:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden gstack-slug against shell injection via eval

Browse Source 
Whitelist safe characters (a-zA-Z0-9._-) in SLUG and BRANCH output
to prevent shell metacharacter injection when used with eval.

Only affects self-hosted git servers with lax naming rules — GitHub
and GitLab enforce safe characters already. Defense-in-depth.
This commit is contained in:
Tyrone Robb
2026-03-18 09:09:50 +00:00
parent 716e4c934a
commit 02c76d3e8c
2 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bin/gstack-slug
View File

@@ -3,7 +3,9 @@
# Usage: eval $(gstack-slug) → sets SLUG and BRANCH variables # Usage: eval $(gstack-slug) → sets SLUG and BRANCH variables
# Or: gstack-slug → prints SLUG=... and BRANCH=... lines # Or: gstack-slug → prints SLUG=... and BRANCH=... lines
set -euo pipefail set -euo pipefail
SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-') # tr -cd strips any shell metacharacters (;$`|&! etc) from git-derived values
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-') # to prevent injection via eval $(gstack-slug). See: #133
SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-' | tr -cd 'a-zA-Z0-9._-')
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-' | tr -cd 'a-zA-Z0-9._-')
echo "SLUG=$SLUG" echo "SLUG=$SLUG"
echo "BRANCH=$BRANCH" echo "BRANCH=$BRANCH"

9
test/skill-validation.test.ts
View File

@@ -793,6 +793,15 @@ describe('gstack-slug', () => {
expect(lines[0]).toMatch(/^SLUG=.+/); expect(lines[0]).toMatch(/^SLUG=.+/);
expect(lines[1]).toMatch(/^BRANCH=.+/); expect(lines[1]).toMatch(/^BRANCH=.+/);
}); });
test('output values contain only safe characters (no shell metacharacters)', () => {
const result = Bun.spawnSync([SLUG_BIN], { cwd: ROOT, stdout: 'pipe', stderr: 'pipe' });
const slug = result.stdout.toString().match(/SLUG=(.*)/)?.[1] ?? '';
const branch = result.stdout.toString().match(/BRANCH=(.*)/)?.[1] ?? '';
// Only alphanumeric, dot, dash, underscore are allowed (#133)
expect(slug).toMatch(/^[a-zA-Z0-9._-]+$/);
expect(branch).toMatch(/^[a-zA-Z0-9._-]+$/);
});
}); });
// --- Test Bootstrap validation --- // --- Test Bootstrap validation ---