RomanNum3ral
/
gstack
mirror of https://github.com/garrytan/gstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge PR #237: sanitize gstack-slug output against shell injection

This commit is contained in:
Garry Tan 2026-03-22 09:56:13 -07:00
parent 60d6e374ec 4425d4453b
commit 949ccbe73c
No known key found for this signature in database
GPG Key ID: C1F69E85C74EFE1D
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
bin/gstack-slug
View File

@ -1,9 +1,15 @@
#!/usr/bin/env bash #!/usr/bin/env bash
# gstack-slug — output project slug and sanitized branch name # gstack-slug — output project slug and sanitized branch name
# Usage: source <(gstack-slug) → sets SLUG and BRANCH variables # Usage: eval $(gstack-slug) → sets SLUG and BRANCH variables
# Or: gstack-slug → prints SLUG=... and BRANCH=... lines # Or: gstack-slug → prints SLUG=... and BRANCH=... lines
#
# Security: output is sanitized to [a-zA-Z0-9._-] only, preventing
# shell injection when consumed via eval $(gstack-slug).
set -euo pipefail set -euo pipefail
SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-') RAW_SLUG=$(git remote get-url origin 2>/dev/null | sed 's|.*[:/]\([^/]*/[^/]*\)\.git$|\1|;s|.*[:/]\([^/]*/[^/]*\)$|\1|' | tr '/' '-')
BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-') RAW_BRANCH=$(git rev-parse --abbrev-ref HEAD 2>/dev/null | tr '/' '-')
# Strip any characters that aren't alphanumeric, dot, hyphen, or underscore
SLUG=$(printf '%s' "$RAW_SLUG" | tr -cd 'a-zA-Z0-9._-')
BRANCH=$(printf '%s' "$RAW_BRANCH" | tr -cd 'a-zA-Z0-9._-')
echo "SLUG=$SLUG" echo "SLUG=$SLUG"
echo "BRANCH=$BRANCH" echo "BRANCH=$BRANCH"