…neration

**Alert Number**: #16
**Severity**: Critical (security_severity_level)
**Rule**: go/unsafe-quoting (CWE-78, CWE-89, CWE-94)

## Vulnerability Description

The code was directly embedding JSON-serialized domain arrays into a Python
script using fmt.Sprintf without proper escaping. While json.Marshal output
is typically safe for []string types, CodeQL correctly identified this as a
potential injection vector since the JSON content could theoretically contain
quotes that break out of the string context.

## Fix Applied

Changed the approach from embedding JSON as a Python literal to using Python's
json.loads() to parse the JSON at runtime:

1. Added proper escaping for backslashes and single quotes before embedding
2. Changed from `ALLOWED_DOMAINS = %s` (direct literal) to
   `ALLOWED_DOMAINS = json.loads('%s')` (runtime parsing)
3. Updated the escapedJSON variable usage in fmt.Sprintf

This eliminates any potential quoting vulnerabilities by:
- Explicitly escaping special characters (\ and ')
- Using json.loads() which safely handles all JSON content
- Making the security intent clearer in the code

## Security Best Practices

- Never embed user-controlled or serialized data directly into code literals
- Always use proper escaping mechanisms for the target language
- Prefer runtime parsing over literal embedding for complex data structures
- Escape backslashes first to prevent escape sequence interference

## Testing Considerations

- All existing tests pass with updated expectations
- The generated Python script correctly parses domain lists
- Empty domain lists (deny-all policy) are handled correctly
- Domain patterns with special characters are properly escaped

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

…#16)

Fixes CodeQL alert #16 (go/unsafe-quoting) with Critical security severity.

## Vulnerability Description

The code was embedding JSON-serialized domain arrays directly into a
Python script without proper escaping, creating a potential injection
vulnerability (CWE-78, CWE-89, CWE-94). If the JSON contains double
quotes or special characters, it could break out of the Python string
context and alter the script structure.

## Fix Applied

1. Added proper escaping for backslashes and single quotes
2. Changed from direct embedding to using Python's json.loads() at runtime
3. Updated test expectations to match the new secure format

## Security Best Practices Applied

- Never embed serialized data directly into code literals
- Always use proper escaping for the target language
- Prefer runtime parsing over literal embedding for complex data
- Escape backslashes first to prevent escape sequence interference

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

**Alert Number**: #16
**Severity**: Critical
**Rule**: go/unsafe-quoting

## Vulnerability Description

The code was embedding JSON-serialized domain lists directly into a Python
script using string formatting without proper escaping. If the JSON contained
double quotes in an unexpected way, it could break out of the enclosing quotes
and potentially change the structure of the Python code.

## Fix Applied

1. Added `strconv.Quote()` to properly escape the JSON string before embedding
   it in the Python script template
2. Changed the Python code to use `json.loads()` to parse the escaped JSON
   string, making the approach more explicit and safer
3. Updated all related tests to check for the new escaped format

## Security Best Practices

- Using `strconv.Quote()` ensures that any special characters (including quotes)
  are properly escaped according to Go string literal rules
- Using `json.loads()` on the Python side makes the intent clear and provides
  an additional layer of safety by parsing the JSON in a structured way
- This prevents potential code injection vulnerabilities (CWE-78, CWE-89, CWE-94)

## Testing Considerations

All existing tests have been updated and pass successfully. The fix maintains
backward compatibility in terms of functionality while improving security.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

…eration (Alert #16)

Use json.loads() with triple-quoted strings instead of direct JSON embedding
to eliminate any potential quoting vulnerabilities when generating Python
network permission hooks. This prevents CWE-78, CWE-89, and CWE-94 injection
attacks that could occur if JSON contains quotes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

…eration (Alert #16) (#4526)

Use json.loads() with triple-quoted strings instead of direct JSON embedding
to eliminate any potential quoting vulnerabilities when generating Python
network permission hooks. This prevents CWE-78, CWE-89, and CWE-94 injection
attacks that could occur if JSON contains quotes.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>