Skip to content

fix: harden scripts against injection, SSRF, path traversal#206

Closed
SAY-5 wants to merge 1 commit intosantifer:mainfrom
SAY-5:fix/security-hardening
Closed

fix: harden scripts against injection, SSRF, path traversal#206
SAY-5 wants to merge 1 commit intosantifer:mainfrom
SAY-5:fix/security-hardening

Conversation

@SAY-5
Copy link
Copy Markdown

@SAY-5 SAY-5 commented Apr 12, 2026

Addresses all 9 vulnerabilities from #132 across 6 files:

  • Shell injection via sed in batch-runner.sh — switched to awk for placeholder substitution so URL characters like & and | can't escape into shell commands
  • Unsafe --dangerously-skip-permissions — removed and scoped worker tools to only what's needed
  • Predictable /tmp paths — switched to mktemp with cleanup
  • Git injection via VERSION — strict semver validation before any git operations
  • Unvalidated remote checkout — re-validates VERSION after fetch
  • Path traversal in PDF output — output must stay within project directory
  • SSRF in check-liveness — blocks file://, localhost, private IPs, cloud metadata endpoints
  • Markdown table injection — escapes pipe and newline in table cells
  • Missing .gitignore — added *.bak

Closes #132

@SAY-5
fix: harden scripts against injection, SSRF, path traversal
eda2c04 
- batch-runner.sh: replace sed with awk to prevent shell injection via
  URLs, use mktemp for temp files, scope worker tools
- update-system.mjs: strict semver validation before git operations
- generate-pdf.mjs: restrict output path to project directory
- check-liveness.mjs: block non-HTTP protocols, localhost, private IPs,
  cloud metadata endpoints
- merge-tracker.mjs: escape pipe/newline chars in table cells
- .gitignore: add *.bak

Closes santifer#132
@SAY-5 SAY-5 closed this Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security checks: fix injection vectors, SSRF, path traversal, and unsafe permissions in batch/update/PDF/liveness scripts

1 participant

@SAY-5