[plan] Harden jq filter processing against command injection

[github-actions]

Objective

Add security validation to the ApplyJqFilter function in pkg/cli/jq.go to prevent command injection, file reads, DoS attacks, and resource exhaustion from malicious jq filter expressions.

Context

Issue #14844 identified a high-severity security risk: the jq filter processing accepts arbitrary user input and passes it directly to exec.Command without validation. While Go's exec.Command prevents shell injection, jq itself has powerful features that can be exploited:

• input function can read arbitrary files
• Recursive expressions can cause DoS
• @sh formatter could enable downstream code execution

Approach

Implement multi-layered security hardening:

1. Syntax Validation: Add filter syntax validation before execution
2. Dangerous Function Detection: Block filters containing input, debug, $__loc__
3. Execution Timeouts: Add context with timeout (e.g., 30 seconds)
4. Resource Limits: Consider memory/CPU limits if feasible
5. Security Logging: Log filter validation attempts and rejections

Files to Modify

• Update: pkg/cli/jq.go (lines 20-40) - Add validation logic to ApplyJqFilter
• Create: pkg/cli/jq_test.go - Add security tests for malicious filters
• Optional: Create pkg/security/jq_validator.go if validation becomes complex

Acceptance Criteria

• Filters with input, debug, $__loc__ are rejected with clear error messages
• jq execution has timeout protection (30s default)
• Security events are logged for audit trail
• Tests cover: legitimate filters pass, malicious filters blocked, timeout works
• No breaking changes to existing valid filter usage
• Documentation updated with security considerations
  Related to [sergo] Sergo Report: Documentation-Security-Naming - 2026-02-10 #14844

AI generated by Plan Command for #14844

• expires on Feb 13, 2026, 12:43 AM UTC