mosaicstack/stack
1
0
Fork 0
Code Issues 23 Pull Requests 4 Actions Packages Projects Releases 14 Wiki Activity

fix(framework/tools): eval injection, broken JSON, tmpfile leak #549

Merged
jason.woltje merged 2 commits from fix/tooling-eval-injection-jq-json into main 2026-06-18 21:35:33 +00:00
Conversation 0 Commits 2 Files Changed 6 +42 -26
4 changed files with 42 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit b0b2c20da0 - Show all commits

21
packages/mosaic/framework/tools/git/issue-assign.sh
View File

@@ -98,27 +98,32 @@ case "$PLATFORM" in
;; ;;
gitea) gitea)
# tea issue edit syntax # tea issue edit syntax
REPO_ARGS=$(get_gitea_repo_args) || { REPO_SLUG=$(get_repo_slug) || {
echo "Error: Could not resolve Gitea repo/login args for remote host" >&2 echo "Error: Could not resolve Gitea repo slug from remote" >&2
exit 1 exit 1
} }
CMD="tea issue edit $ISSUE $REPO_ARGS" REPO_LOGIN=$(get_gitea_login) || {
echo "Error: Could not resolve Gitea login for remote host" >&2
exit 1
}
REPO_ARGS=(--repo "$REPO_SLUG" --login "$REPO_LOGIN")
CMD=(tea issue edit "$ISSUE" "${REPO_ARGS[@]}")
NEEDS_EDIT=false NEEDS_EDIT=false
if [[ -n "$ASSIGNEE" ]]; then if [[ -n "$ASSIGNEE" ]]; then
# tea uses --assignees flag # tea uses --assignees flag
CMD="$CMD --assignees \"$ASSIGNEE\"" CMD+=(--assignees "$ASSIGNEE")
NEEDS_EDIT=true NEEDS_EDIT=true
fi fi
if [[ -n "$LABELS" ]]; then if [[ -n "$LABELS" ]]; then
# tea uses --labels flag (replaces existing) # tea uses --labels flag (replaces existing)
CMD="$CMD --labels \"$LABELS\"" CMD+=(--labels "$LABELS")
NEEDS_EDIT=true NEEDS_EDIT=true
fi fi
if [[ -n "$MILESTONE" ]]; then if [[ -n "$MILESTONE" ]]; then
MILESTONE_ID=$(tea milestones list $REPO_ARGS 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1) MILESTONE_ID=$(tea milestones list "${REPO_ARGS[@]}" 2>/dev/null | grep -E "^\s*[0-9]+" | grep "$MILESTONE" | awk '{print $1}' | head -1)
if [[ -n "$MILESTONE_ID" ]]; then if [[ -n "$MILESTONE_ID" ]]; then
CMD="$CMD --milestone $MILESTONE_ID" CMD+=(--milestone "$MILESTONE_ID")
NEEDS_EDIT=true NEEDS_EDIT=true
else else
echo "Warning: Could not find milestone '$MILESTONE'" >&2 echo "Warning: Could not find milestone '$MILESTONE'" >&2
@@ -126,7 +131,7 @@ case "$PLATFORM" in
fi fi
if [[ "$NEEDS_EDIT" == true ]]; then if [[ "$NEEDS_EDIT" == true ]]; then
eval "$CMD" "${CMD[@]}"
echo "Issue #$ISSUE updated successfully" echo "Issue #$ISSUE updated successfully"
else else
echo "No changes specified" echo "No changes specified"

32
packages/mosaic/framework/tools/git/issue-edit.sh
View File

@@ -63,24 +63,28 @@ fi
detect_platform >/dev/null detect_platform >/dev/null
if [[ "$PLATFORM" == "github" ]]; then if [[ "$PLATFORM" == "github" ]]; then
CMD="gh issue edit $ISSUE_NUMBER" CMD=(gh issue edit "$ISSUE_NUMBER")
[[ -n "$TITLE" ]] && CMD="$CMD --title \"$TITLE\"" [[ -n "$TITLE" ]] && CMD+=(--title "$TITLE")
[[ -n "$BODY" ]] && CMD="$CMD --body \"$BODY\"" [[ -n "$BODY" ]] && CMD+=(--body "$BODY")
[[ -n "$LABELS" ]] && CMD="$CMD --add-label \"$LABELS\"" [[ -n "$LABELS" ]] && CMD+=(--add-label "$LABELS")
[[ -n "$MILESTONE" ]] && CMD="$CMD --milestone \"$MILESTONE\"" [[ -n "$MILESTONE" ]] && CMD+=(--milestone "$MILESTONE")
eval $CMD "${CMD[@]}"
echo "Updated GitHub issue #$ISSUE_NUMBER" echo "Updated GitHub issue #$ISSUE_NUMBER"
elif [[ "$PLATFORM" == "gitea" ]]; then elif [[ "$PLATFORM" == "gitea" ]]; then
REPO_ARGS=$(get_gitea_repo_args) || { REPO_SLUG=$(get_repo_slug) || {
echo "Error: Could not resolve Gitea repo/login args for remote host" >&2 echo "Error: Could not resolve Gitea repo slug from remote" >&2
exit 1 exit 1
} }
CMD="tea issue edit $ISSUE_NUMBER $REPO_ARGS" REPO_LOGIN=$(get_gitea_login) || {
[[ -n "$TITLE" ]] && CMD="$CMD --title \"$TITLE\"" echo "Error: Could not resolve Gitea login for remote host" >&2
[[ -n "$BODY" ]] && CMD="$CMD --description \"$BODY\"" exit 1
[[ -n "$LABELS" ]] && CMD="$CMD --add-labels \"$LABELS\"" }
[[ -n "$MILESTONE" ]] && CMD="$CMD --milestone \"$MILESTONE\"" CMD=(tea issue edit "$ISSUE_NUMBER" --repo "$REPO_SLUG" --login "$REPO_LOGIN")
eval $CMD [[ -n "$TITLE" ]] && CMD+=(--title "$TITLE")
[[ -n "$BODY" ]] && CMD+=(--description "$BODY")
[[ -n "$LABELS" ]] && CMD+=(--add-labels "$LABELS")
[[ -n "$MILESTONE" ]] && CMD+=(--milestone "$MILESTONE")
"${CMD[@]}"
echo "Updated Gitea issue #$ISSUE_NUMBER" echo "Updated Gitea issue #$ISSUE_NUMBER"
else else
echo "Error: Unknown platform" echo "Error: Unknown platform"

13
packages/mosaic/framework/tools/git/milestone-create.sh
View File

@@ -99,10 +99,15 @@ fi
case "$PLATFORM" in case "$PLATFORM" in
github) github)
# GitHub uses the API for milestone creation # GitHub uses the API for milestone creation
JSON_PAYLOAD="{\"title\":\"$TITLE\"" # Use jq to safely construct JSON so titles/descriptions containing
[[ -n "$DESCRIPTION" ]] && JSON_PAYLOAD="$JSON_PAYLOAD,\"description\":\"$DESCRIPTION\"" # quotes or special characters do not corrupt the payload (F-07).
[[ -n "$DUE_DATE" ]] && JSON_PAYLOAD="$JSON_PAYLOAD,\"due_on\":\"${DUE_DATE}T00:00:00Z\"" JSON_PAYLOAD=$(jq -n \
JSON_PAYLOAD="$JSON_PAYLOAD}" --arg t "$TITLE" \
--arg d "$DESCRIPTION" \
--arg due "${DUE_DATE}" \
'{"title": $t}
+ (if $d != "" then {"description": $d} else {} end)
+ (if $due != "" then {"due_on": ($due + "T00:00:00Z")} else {} end)')
gh api repos/:owner/:repo/milestones --method POST --input - <<< "$JSON_PAYLOAD" gh api repos/:owner/:repo/milestones --method POST --input - <<< "$JSON_PAYLOAD"
echo "Milestone '$TITLE' created successfully" echo "Milestone '$TITLE' created successfully"

2
packages/mosaic/framework/tools/git/pr-metadata.sh
View File

@@ -56,6 +56,8 @@ curl_gitea_pull() {
local api_url="$1" local api_url="$1"
local token basic_auth raw_code body_file http_code local token basic_auth raw_code body_file http_code
body_file=$(mktemp) body_file=$(mktemp)
# Ensure the tmpfile is removed even on early exit (set -e, SIGINT, etc.)
trap 'rm -f "$body_file"' EXIT
token=$(get_gitea_token "$HOST" || true) token=$(get_gitea_token "$HOST" || true)
if [[ -n "$token" ]]; then if [[ -n "$token" ]]; then