fix(framework/tools): eval injection, broken JSON, and tmpfile leak in git wrappers #548

New Issue

Closed

opened 2026-06-18 18:51:03 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-06-18 18:51:03 +00:00

Owner

Copy Link

Three confirmed defects in packages/mosaic/framework/tools/git/:

F-01 (HIGH, shell injection) — issue-edit.sh and issue-assign.sh build commands via string interpolation then run eval. A title/body/label containing $(id) will execute arbitrary code.

F-07 (MED, broken JSON) — milestone-create.sh builds GitHub API JSON payload via string interpolation. A title containing a double-quote breaks the JSON, causing the API call to fail.

F-13 (LOW, tmpfile leak) — pr-metadata.sh creates a tmpfile via mktemp inside curl_gitea_pull() but only removes it in the success paths. A set -e early exit leaks the file.

Fix branch: fix/tooling-eval-injection-jq-json

Three confirmed defects in packages/mosaic/framework/tools/git/: **F-01 (HIGH, shell injection)** — issue-edit.sh and issue-assign.sh build commands via string interpolation then run eval. A title/body/label containing $(id) will execute arbitrary code. **F-07 (MED, broken JSON)** — milestone-create.sh builds GitHub API JSON payload via string interpolation. A title containing a double-quote breaks the JSON, causing the API call to fail. **F-13 (LOW, tmpfile leak)** — pr-metadata.sh creates a tmpfile via mktemp inside curl_gitea_pull() but only removes it in the success paths. A set -e early exit leaks the file. Fix branch: fix/tooling-eval-injection-jq-json

jason.woltje referenced this issue from a commit 2026-06-18 18:51:27 +00:00

fix(framework/tools): eval injection, broken JSON, tmpfile leak (#548)

jason.woltje referenced a pull request that will close this issue 2026-06-18 18:51:39 +00:00

fix(framework/tools): eval injection, broken JSON, tmpfile leak #549

jason.woltje closed this issue 2026-06-18 21:35:33 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/tooling-eval-injection-jq-json

feat/agent-send-class

fix/wrapper-hardening-tls-credpath-cicwait

docs/framework-agency-patterns

feat/framework-constitution-alpha

feat/us007-agent-registration

docs/merge-authority-rule

feat/mosaic-as-provisioning

fix/pr-ci-wait-stdin-collision

fix/t_301e4e3b-pr-merge-gitea-empty-uid

ci/publish-appservice-image

feat/mosaic-as-daemon

feat/mosaic-as-m4a

fix/pi-token-lean-skills

fix/git-wrapper-rollup-20260526

fix/git-wrapper-repo-detection

fix/woodpecker-wrapper-legacy-mosaic

fix/t-a292e96f-gitea-pr-metadata

fix/gitea-pr-metadata-login-t-a292e96f

fix/t_a292e96f-pr-metadata-gitea

fix/t_3a368a52-gitea-usc-login

fix/bootstrap-hotfix

fix/populate-known-packages-list

fix/idempotent-init

mosaic-v0.0.31

fed-v0.2.0-m2

fed-v0.1.0-m1

mosaic-v0.0.29

mosaic-v0.0.28

mosaic-v0.0.27

mosaic-v0.0.26

mosaic-v0.0.25

mosaic-v0.0.24

v0.2.0

v0.1.0

v0.0.8

v0.0.7

v0.0.6

v0.0.5

v0.0.4

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaicstack/stack#548