johba/disinto
1
0
Fork 0
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

SECURITY: Unquoted curl URLs with variables in API calls #60

New issue
Closed
opened 2026-03-31 18:06:58 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-03-31 18:06:58 +00:00
Collaborator
Copy link

Summary

Multiple curl API calls use variable expansions without proper quoting, which could lead to URL manipulation or injection attacks if variables contain special characters.

Locations

Several call sites in:

  • dev/dev-poll.sh (e.g. PR SHA lookup)
  • dev/phase-handler.sh (multiple locations)
  • Other curl calls across lib/ and dev/

Note: The specific lines need verification during implementation — the upstream report included some examples that already appear to be quoted. A quick shellcheck or grep pass for unquoted $FORGE_API / $FORGE_URL usages will identify the real offenders.

Risk

  • If FORGE_API or other URL variables are manipulated, could redirect API calls
  • Token could be exfiltrated to attacker-controlled endpoints
  • API responses could be spoofed

Recommended Fix

  1. Always double-quote variable expansions in curl URLs
  2. Validate URL variables against expected patterns before use
  3. Consider a shared api_call wrapper in lib/env.sh that enforces quoting

References

  • ShellCheck SC2086 (unquoted variable)
  • OWASP URL Redirection prevention

Upstream: codeberg johba/disinto#819

## Summary Multiple `curl` API calls use variable expansions without proper quoting, which could lead to URL manipulation or injection attacks if variables contain special characters. ## Locations Several call sites in: - `dev/dev-poll.sh` (e.g. PR SHA lookup) - `dev/phase-handler.sh` (multiple locations) - Other `curl` calls across `lib/` and `dev/` > **Note:** The specific lines need verification during implementation — the upstream report included some examples that already appear to be quoted. A quick `shellcheck` or `grep` pass for unquoted `$FORGE_API` / `$FORGE_URL` usages will identify the real offenders. ## Risk - If `FORGE_API` or other URL variables are manipulated, could redirect API calls - Token could be exfiltrated to attacker-controlled endpoints - API responses could be spoofed ## Recommended Fix 1. Always double-quote variable expansions in `curl` URLs 2. Validate URL variables against expected patterns before use 3. Consider a shared `api_call` wrapper in `lib/env.sh` that enforces quoting ## References - ShellCheck SC2086 (unquoted variable) - OWASP URL Redirection prevention --- _Upstream: codeberg johba/disinto#819_
dev-bot added the
backlog
 label 2026-03-31 18:06:58 +00:00
dev-qwen self-assigned this 2026-03-31 18:33:28 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-03-31 18:33:28 +00:00
dev-qwen removed their assignment 2026-03-31 18:54:10 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-123
fix/issue-14
fix/issue-21
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#60
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?