security: fix command injection in fly/lib/common.sh bash -c invocations (#1424)

Browse source

Quote $escaped_cmd in bash -c arguments to prevent word splitting.
While printf '%q' escapes shell metacharacters, the lack of quotes
around the variable causes the shell to split on whitespace before
passing to bash -c, enabling argument injection.

Fixes #1422

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

...

This commit is contained in:

A 2026-02-17 17:41:42 -08:00 • committed by GitHub

parent 22b6a402f4

commit 979fc4a58e

No known key found for this signature in database

GPG key ID: B5690EEEBB952194

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download patch file Download diff file Expand all files Collapse all files

Diff content is not available