fix: escape single quotes in Policy.pm shell output#17
Draft
Koan-Bot wants to merge 1 commit intoPerl-Toolchain-Gang:mainfrom
Draft
fix: escape single quotes in Policy.pm shell output#17Koan-Bot wants to merge 1 commit intoPerl-Toolchain-Gang:mainfrom
Koan-Bot wants to merge 1 commit intoPerl-Toolchain-Gang:mainfrom
Conversation
ccflags values were interpolated directly into a single-quoted shell string without escaping. A value containing a single quote (e.g. -DPATH='/usr/local') would break the shell quoting and could enable command injection in the generated Policy.sh script. Add _shell_escape_sq() helper that replaces ' with '\'' (the standard shell idiom: close quote, escaped literal quote, reopen quote). Apply it to all ccflags values before interpolation in default_Policy(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Escape single quotes in
default_Policy()before interpolating ccflags into shell script output.Why
ccflagsarray values were interpolated directly into a single-quoted shell string (ccflags='@ccflags'). A value containing'(e.g.-DPATH='/usr/local') would break shell quoting and could enable command injection in the generatedPolicy.sh.SECURITY — Shell injection via unescaped single quotes in generated Policy.sh. Values with crafted single quotes could break out of the shell string and execute arbitrary commands.
How
Added
_shell_escape_sq()helper that applies the standard shell idiom: replace each'with'\''(close quote, escaped literal quote, reopen quote). Called on every ccflag value indefault_Policy()before interpolation.Note:
_do_subst()has a similar pattern (substituting values into ccflags lines) but operates on user-provided policy templates where the quoting context varies — flagged for separate evaluation.Testing
🤖 Generated with Claude Code
Quality Report
Changes: 2 files changed, 37 insertions(+), 2 deletions(-)
Code scan: clean
Tests: skipped
Branch hygiene: clean
Generated by Kōan post-mission quality pipeline