mirror of https://github.com/garrytan/gstack.git
4425d4453b
The gstack-slug script is consumed via eval $(gstack-slug) throughout skill templates. If a git remote URL contains shell metacharacters like $(), backticks, or semicolons, they would be executed by eval. Fix: strip all characters except [a-zA-Z0-9._-] from both SLUG and BRANCH before output. This preserves normal values while neutralizing any injection payload in malicious remote URLs. Before: eval $(gstack-slug) with remote "foo/bar$(rm -rf /)" → executes rm After: eval $(gstack-slug) with remote "foo/bar$(rm -rf /)" → SLUG=foo-barrm-rf- |
||
|---|---|---|
| .. | ||
| dev-setup | ||
| dev-teardown | ||
| gstack-analytics | ||
| gstack-community-dashboard | ||
| gstack-config | ||
| gstack-diff-scope | ||
| gstack-review-log | ||
| gstack-review-read | ||
| gstack-slug | ||
| gstack-telemetry-log | ||
| gstack-telemetry-sync | ||
| gstack-update-check | ||