RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(security): sanitize telemetry JSONL inputs against injection 

SKILL, OUTCOME, SESSION_ID, SOURCE, and EVENT_TYPE values go directly
into printf %s for JSONL output. If any contain double quotes,
backslashes, or newlines, the JSON breaks — or worse, injects
arbitrary fields.

Fix: strip quotes, backslashes, and control characters from all
string fields before JSONL construction via json_safe() helper.
This commit is contained in:
Arun Kumar Thiagarajan 2026-03-25 08:51:15 +05:30
parent 7e0b879f8c
commit 0502df6fdb
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bin/gstack-telemetry-log
View File

@ -151,6 +151,14 @@ fi
# ─── Construct and append JSON ─────────────────────────────── # ─── Construct and append JSON ───────────────────────────────
mkdir -p "$ANALYTICS_DIR" mkdir -p "$ANALYTICS_DIR"
# Sanitize string fields for JSON safety (strip quotes, backslashes, control chars)
json_safe() { printf '%s' "$1" | tr -d '"\\\n\r\t' | head -c 200; }
SKILL="$(json_safe "$SKILL")"
OUTCOME="$(json_safe "$OUTCOME")"
SESSION_ID="$(json_safe "$SESSION_ID")"
SOURCE="$(json_safe "$SOURCE")"
EVENT_TYPE="$(json_safe "$EVENT_TYPE")"
# Escape null fields # Escape null fields
ERR_FIELD="null" ERR_FIELD="null"
[ -n "$ERROR_CLASS" ] && ERR_FIELD="\"$ERROR_CLASS\"" [ -n "$ERROR_CLASS" ] && ERR_FIELD="\"$ERROR_CLASS\""