[LOW] install.sh: YAML injection via unescaped name/cmd tokens in build_yaml() #5

New issue

Closed

opened 2026-05-19 04:42:46 +00:00 by foravo_admin · 1 comment

foravo_admin commented

2026-05-19 04:42:46 +00:00

Owner

Imported from GitHub issue M00C1FER/mesh-review#8.

Source: https://github.com/M00C1FER/mesh-review/issues/8
Original author: @M00C1FER
Original state: closed

Finding 7 — LOW

File: install.sh
Function: build_yaml()
Commit fixing this: 834f8d8441226ac383868a9cb8ac5c69b650581e (PR #1)

Description

build_yaml() writes user-supplied values directly into YAML without quoting or escaping:

echo "  - name: $name"
printf "    cmd: ["
for tok in $cmd; do printf "\"%s\"" "$tok"; done

A name like my:llm introduces an extra YAML mapping key, breaking structure.
A token like my"arg or my\arg breaks the YAML double-quoted string, potentially causing downstream YAML parse errors or unexpected config values.

Affected locations

Both the bundled-entries loop (lines ~28–33) and the custom CLI block (lines ~40–45) have the same pattern.

Fix Applied

Values are now double-quoted in YAML and backslash/double-quote characters are escaped before writing:

local name_safe; name_safe="$(printf '%s' "$name" | sed 's/\\/\\\\/g; s/"/\\"/g')"
echo "  - name: \"$name_safe\""
local tok_safe; tok_safe="$(printf '%s' "$tok" | sed 's/\\/\\\\/g; s/"/\\"/g')"
printf '"%s"' "$tok_safe"

Imported from GitHub issue `M00C1FER/mesh-review#8`. Source: https://github.com/M00C1FER/mesh-review/issues/8 Original author: @M00C1FER Original state: closed  --- ## Finding 7 — LOW **File:** `install.sh` **Function:** `build_yaml()` **Commit fixing this:** 834f8d8441226ac383868a9cb8ac5c69b650581e (PR #1) ### Description `build_yaml()` writes user-supplied values directly into YAML without quoting or escaping: ```bash echo " - name: $name" printf " cmd: [" for tok in $cmd; do printf "\"%s\"" "$tok"; done ``` - A name like `my:llm` introduces an extra YAML mapping key, breaking structure. - A token like `my"arg` or `my\arg` breaks the YAML double-quoted string, potentially causing downstream YAML parse errors or unexpected config values. ### Affected locations Both the bundled-entries loop (lines ~28–33) and the custom CLI block (lines ~40–45) have the same pattern. ### Fix Applied Values are now double-quoted in YAML and backslash/double-quote characters are escaped before writing: ```bash local name_safe; name_safe="$(printf '%s' "$name" | sed 's/\\/\\\\/g; s/"/\\"/g')" echo " - name: \"$name_safe\"" local tok_safe; tok_safe="$(printf '%s' "$tok" | sed 's/\\/\\\\/g; s/"/\\"/g')" printf '"%s"' "$tok_safe" ```

foravo_admin

2026-05-19 04:42:46 +00:00

closed this issue
added the
code-review
label

foravo_admin commented

2026-05-19 04:42:47 +00:00

Author

Owner

Imported from GitHub issue comment M00C1FER/mesh-review#8:4362220456.

Source: https://github.com/M00C1FER/mesh-review/issues/8#issuecomment-4362220456
Original author: @M00C1FER

Fixed by merged PR #1.

Imported from GitHub issue comment `M00C1FER/mesh-review#8:4362220456`. Source: https://github.com/M00C1FER/mesh-review/issues/8#issuecomment-4362220456 Original author: @M00C1FER  --- Fixed by merged PR #1.