fix(sec): SEC-01 replace shell interpolation in python3 -c with heredoc#58
Merged
majiayu000 merged 2 commits intomainfrom Apr 12, 2026
Merged
Conversation
…ed.sh SEC-01: LOG_DIR, VIBEGUARD_DIR, REFLECTION_FILE, mf, CUTOFF, and BEFORE were interpolated directly into python3 -c double-quoted strings. A value containing a single quote could break Python syntax; a crafted env var could execute arbitrary code when the launchd/systemd timer fires. Fix: replace all three python3 -c "..." blocks with heredoc (<<'PYEOF') and pass paths exclusively via prefixed env vars (_GC_*) read through os.environ inside Python. Also unescape shell-escaped \" sequences that are now unnecessary and would cause SyntaxError in Python < 3.12. Signed-off-by: majiayu000 <1835304752@qq.com>
…validator docs/how/memory-files.md uses `project/.claude/CLAUDE.md` as a conceptual placeholder to illustrate where a project-level CLAUDE.md lives. The path does not exist in this repo and is not meant to — it is documentation prose, not a file reference. Add it to the allowlist so validate-doc-paths.sh stops treating it as a broken link. Signed-off-by: majiayu000 <1835304752@qq.com>
Owner
Author
|
/gemini review |
1 similar comment
Owner
Author
|
/gemini review |
This was referenced Apr 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
LOG_DIR,VIBEGUARD_DIR,REFLECTION_FILE,mf,CUTOFF, andBEFOREwere interpolated directly intopython3 -c "..."double-quoted strings inscripts/gc/gc-scheduled.sh. A value containing a single quote breaks Python syntax; a craftedVIBEGUARD_LOG_DIRenv var could execute arbitrary Python code when the launchd/systemd timer fires.python3 -c "..."blocks withpython3 <<'PYEOF'heredocs (single-quoted delimiter — no shell expansion)._GC_CUTOFF,_GC_MF,_GC_BEFORE,_GC_LOG_DIR,_GC_VIBEGUARD_DIR,_GC_REFLECTION_FILE) and read inside Python viaos.environ.\"sequences inside f-string expressions that were valid only inside a shell double-quoted string and would causeSyntaxErrorin Python < 3.12.Test plan
ast.parse)bash scripts/gc/gc-scheduled.shin a sandboxed env to confirm normal operationVIBEGUARD_LOG_DIRto a path containing single quotes and confirm no injection