From 255ffbf8b719c05262900f8d12611c48cb429223 Mon Sep 17 00:00:00 2001
From: A <258483684+la14-1@users.noreply.github.com>
Date: Thu, 26 Mar 2026 12:56:07 -0700
Subject: [PATCH] fix(security): use grep -F for literal string matching in
 PATH checks (#3021)

Fixes #3019

Replace `grep -qx` with `grep -qxF` in the `ensure_in_path` function
to prevent regex pattern injection. Without -F, attacker-controlled
SPAWN_INSTALL_DIR or BUN_INSTALL env vars containing regex metacharacters
(e.g. `/.*`) could cause false positive/negative PATH matches, potentially
bypassing the symlink creation logic.

Agent: issue-fixer

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 sh/cli/install.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sh/cli/install.sh b/sh/cli/install.sh
index 9f903e74..d45e2d53 100755
--- a/sh/cli/install.sh
+++ b/sh/cli/install.sh
@@ -169,10 +169,10 @@ ensure_in_path() {
     # 1. Check if install_dir and bun are already in the user's real PATH
     local spawn_in_path=false
     local bun_in_path=false
-    if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qx "${install_dir}"; then
+    if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qxF "${install_dir}"; then
         spawn_in_path=true
     fi
-    if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qx "${bun_bin_dir}"; then
+    if echo "${_SPAWN_ORIG_PATH}" | tr ':' '\n' | grep -qxF "${bun_bin_dir}"; then
         bun_in_path=true
     fi