mosaicstack/stack
1
0
Fork 0
Code Issues 24 Pull Requests 3 Actions Packages Projects Releases 14 Wiki Activity

fix(git-tools): remove eval from issue-create wrapper #559

New Issue
Closed
opened 2026-06-19 21:51:03 +00:00 by jason.woltje · 0 comments
jason.woltje commented 2026-06-19 21:51:03 +00:00
Owner
Copy Link

Problem

The Mosaic git wrapper issue-create.sh builds a tea command string and executes it via eval. When an issue body contains Markdown inline code or shell-looking snippets, the shell can perform command substitution during the tea attempt.

Observed while creating issue #558: inline-code examples such as confidence/source values and mosaic budget command examples produced command-not-found / unknown-command noise before the API fallback succeeded.

Risk

  • User-provided issue/PR Markdown can be interpreted by the shell before reaching tea.
  • The API fallback may still create the issue, masking the unsafe wrapper behavior.
  • This is a security and reliability bug in the wrapper layer.

Required fix

  • Remove eval-based command construction from issue-create.sh.
  • Use argv arrays for gh and tea invocations.
  • Preserve multi-line Markdown bodies verbatim.
  • Add a regression test with Markdown containing inline-code, dollar signs, quotes, and command-looking snippets.

Acceptance criteria

  • Creating an issue with multi-line Markdown and inline code emits no shell command-substitution noise.
  • The issue body is preserved exactly enough for Markdown review.
  • Fallback behavior remains intact when tea cannot infer the repo.
## Problem The Mosaic git wrapper issue-create.sh builds a tea command string and executes it via eval. When an issue body contains Markdown inline code or shell-looking snippets, the shell can perform command substitution during the tea attempt. Observed while creating issue #558: inline-code examples such as confidence/source values and mosaic budget command examples produced command-not-found / unknown-command noise before the API fallback succeeded. ## Risk - User-provided issue/PR Markdown can be interpreted by the shell before reaching tea. - The API fallback may still create the issue, masking the unsafe wrapper behavior. - This is a security and reliability bug in the wrapper layer. ## Required fix - Remove eval-based command construction from issue-create.sh. - Use argv arrays for gh and tea invocations. - Preserve multi-line Markdown bodies verbatim. - Add a regression test with Markdown containing inline-code, dollar signs, quotes, and command-looking snippets. ## Acceptance criteria - Creating an issue with multi-line Markdown and inline code emits no shell command-substitution noise. - The issue body is preserved exactly enough for Markdown review. - Fallback behavior remains intact when tea cannot infer the repo.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
fleet-enhancement
Fleet-wide reliability/speed/cost improvements surfaced by the nightly enhance pass
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaicstack/stack#559
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?