[code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JSON data

[github-actions]

Security Fix: Unsafe Quoting in Project Views Configuration

Alert Number: #538
Severity: Critical
Rule: go/unsafe-quoting
CWE: CWE-78 (OS Command Injection), CWE-89 (SQL Injection), CWE-94 (Code Injection)

Vulnerability Description

The code was constructing a shell environment variable by embedding JSON data directly into a single-quoted string without proper escaping. If the JSON data contained a single quote character, it could break out of the enclosing quotes and potentially allow command injection.

Vulnerable Code (Line 47):

customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: '%s'\n", string(viewsJSON)))

If viewsJSON contains the character ', it would prematurely close the string literal and potentially execute arbitrary shell commands.

Location

• File: pkg/workflow/update_project_job.go
• Line: 47
• Function: buildUpdateProjectJob

Fix Applied

Added proper shell escaping for single quotes before embedding the JSON data into the environment variable string. The fix uses POSIX-compatible shell escaping:

1. Escape backslashes first: \ → \\ (prevents interference with quote escaping)
2. Escape single quotes: ' → '\'' (ends the quoted string, adds escaped quote, starts new quoted string)

Changes Made:

• Added strings import for string manipulation
• Replaced backslashes with double backslashes to prevent escape sequence interference
• Replaced single quotes with '\'' (POSIX shell escape sequence)
• Applied escaping to viewsJSON before embedding in the format string

Secure Code (Lines 48-52):

// Escape single quotes in JSON to prevent shell injection
// Replace backslashes first, then single quotes
escapedJSON := strings.ReplaceAll(string(viewsJSON), `\`, `\\`)
escapedJSON = strings.ReplaceAll(escapedJSON, `'`, `'\''`)
customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: '%s'\n", escapedJSON))

Security Best Practices

This fix follows CodeQL's recommendations for handling potentially untrusted data:

1. Input Sanitization: Always escape special characters when embedding user-provided or dynamic data into shell commands
2. Defense in Depth: The escaping approach handles both backslashes and quotes to prevent complex injection attempts
3. POSIX Compliance: The '\'' technique works across all POSIX-compliant shells (bash, sh, zsh, etc.)
4. Preserve Functionality: The fix maintains the original behavior while preventing injection attacks

Testing Considerations

• Unit Tests: Consider adding tests with JSON data containing single quotes, backslashes, and other special characters
• Integration Tests: Test the workflow with project views that contain special characters in their configuration
• Security Testing: Verify that malicious input cannot break out of the quoted string

---

Automated by: Code Scanning Fixer Workflow
Run ID: 21263052463

AI generated by Code Scanning Fixer

---

Changeset

• Type: patch
• Description: Escape single quotes and backslashes when embedding JSON into shell environment variables to prevent shell injection (fixes go/unsafe-quoting).

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[pelikhan]

@copilot we are writing a value in a yaml dictionary. The ' ' are not stricly needed. Encode viewsJSON using the YAML Marshal encoder insteead.

[Copilot]

@pelikhan I've opened a new pull request, #11386, to work on those changes. Once the pull request is ready, I'll request review from you.

[pelikhan]

@copilot recompile

[Copilot]

@pelikhan I've opened a new pull request, #11392, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• Replace manual quote escaping with %q format specifier for YAML encoding #11392: Replace manual quote escaping with %q format specifier for YAML encoding
• Replace manual quote escaping with %q format specifier #11386: Replace manual quote escaping with %q format specifier

Test Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Serena MCP
• ✅ Playwright
• ✅ File Writing
• ✅ Bash Tool

Overall Status: PASS

cc @pelikhan

AI generated by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

GitHub MCP (last 2 merged PRs): ✅ Replace manual quote escaping with %q format specifier for YAML encoding; Replace manual quote escaping with %q format specifier
safeinputs-gh pr list: ✅
Serena activate_project: ✅
Playwright github.com title contains "GitHub": ✅
Tavily search results: ✅
File write (/tmp/gh-aw/agent/smoke-test-codex-21267824404.txt): ✅
Bash cat verify: ✅
Overall status: PASS

AI generated by Smoke Codex

[github-actions]

Smoke Test: PASS

Retrieved PRs:

• Update dev workflow to build and test project #11393: Update development workflow instructions for project build and test
• [code-scanning-fix] Fix go/unsafe-quoting: Escape single quotes in JSON data #11382: Fix go/unsafe-quoting: Escape single quotes in JSON data

Test Results: ✅ GitHub MCP | ✅ Safe Inputs GH CLI | ✅ Serena MCP | ✅ Playwright | ✅ Tavily | ✅ File Write | ✅ Bash

Overall Status: PASS

AI generated by Smoke Claude