From 177b01fc6032c6f05448959863d1a0dafc8a1eaa Mon Sep 17 00:00:00 2001
From: Chris Gianelloni <wolf31o2@blinklabs.io>
Date: Thu, 27 Feb 2025 10:16:05 -0500
Subject: [PATCH] fix: potentially unsafe quoting

CodeQL always complained about this code and Copilot had a suggestion which solves it even though it wasn't really a problem in practice.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 cbor/value.go | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/cbor/value.go b/cbor/value.go
index 9907209e..776febd7 100644
--- a/cbor/value.go
+++ b/cbor/value.go
@@ -231,14 +231,15 @@ func generateAstJsonMap[T map[any]any | Map](v T) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		// NOTE: Github CodeQL hates this due to "potentially unsafe quoting", but it
-		// won't happen in practice since both values injected are auto-generated
-		tmpJson := fmt.Sprintf(
-			`{"k":%s,"v":%s}`,
-			keyAstJson,
-			valAstJson,
-		)
-		tmpItems = append(tmpItems, tmpJson)
+		tmpJsonMap := map[string]json.RawMessage{
+			"k": keyAstJson,
+			"v": valAstJson,
+		}
+		tmpJson, err := json.Marshal(tmpJsonMap)
+		if err != nil {
+			return nil, err
+		}
+		tmpItems = append(tmpItems, string(tmpJson))
 	}
 	// We naively sort the rendered map items to give consistent ordering
 	sort.Strings(tmpItems)