fix: address code review feedback

- Fix command injection vulnerabilities in pre-commit script - Use proper file path quoting for YAML validation - Use xargs -0 for safe filename handling - Fix incorrect date (2026 -> 2025) in documentation - Add scripts/git to allowed directories in repo_health workflow Co-authored-by: jmiller-moko <230051081+jmiller-moko@users.noreply.github.com>
2026-01-04 04:29:20 +00:00
parent e1c7f54fec
commit 15205433c9
4 changed files with 9 additions and 7 deletions
--- a/.github/workflows/repo_health.yml
+++ b/.github/workflows/repo_health.yml
@@ -36,7 +36,7 @@ env:
  # Scripts governance policy
  # Note: directories listed without a trailing slash.
  SCRIPTS_REQUIRED_DIRS:
-  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
+  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/git,scripts/lib,scripts/release,scripts/run,scripts/validate

  # Repo health policy
  # Files are listed as-is; directories must end with a trailing slash.
--- a/docs/QUICK_START.md
+++ b/docs/QUICK_START.md
@@ -348,5 +348,5 @@ make help                  # Show all commands
 ---

 **Document Version:** 1.0.0  
-**Last Updated:** 2026-01-04  
+**Last Updated:** 2025-01-04  
 **Get Started:** Run `make dev-setup` now!
--- a/docs/WORKFLOW_GUIDE.md
+++ b/docs/WORKFLOW_GUIDE.md
@@ -468,5 +468,5 @@ phpcs --standard=phpcs.xml --report=source src/
 ---

 **Document Version:** 1.0.0  
-**Last Updated:** 2026-01-04  
+**Last Updated:** 2025-01-04  
 **Maintained by:** Moko Consulting Engineering
--- a/scripts/git/pre-commit.sh
+++ b/scripts/git/pre-commit.sh
@@ -133,11 +133,12 @@ YAML_FILES=$(echo "$STAGED_FILES" | grep -E '\.(yml|yaml)$' || true)
 if [ -n "$YAML_FILES" ]; then
    while IFS= read -r file; do
        if [ -f "$file" ]; then
-            if python3 -c "import yaml; yaml.safe_load(open('$file'))" 2>/dev/null; then
+            # Use printf to safely pass the file path, avoiding injection
+            if python3 -c "import sys, yaml; yaml.safe_load(open(sys.argv[1]))" "$file" 2>/dev/null; then
                log_success "YAML valid: $file"
            else
                log_error "YAML invalid: $file"
-                python3 -c "import yaml; yaml.safe_load(open('$file'))" || true
+                python3 -c "import sys, yaml; yaml.safe_load(open(sys.argv[1]))" "$file" || true
                FAILURES=$((FAILURES + 1))
            fi
        fi
@@ -210,11 +211,12 @@ if [ "$SKIP_QUALITY" = false ] && command -v phpcs >/dev/null 2>&1; then
    PHP_FILES=$(echo "$STAGED_FILES" | grep '\.php$' || true)
    
    if [ -n "$PHP_FILES" ]; then
-        if echo "$PHP_FILES" | xargs phpcs --standard=phpcs.xml -q 2>/dev/null; then
+        # Use process substitution to avoid issues with filenames containing spaces
+        if echo "$PHP_FILES" | tr '\n' '\0' | xargs -0 phpcs --standard=phpcs.xml -q 2>/dev/null; then
            log_success "PHPCS passed"
        else
            log_warning "PHPCS found issues (non-blocking)"
-            echo "$PHP_FILES" | xargs phpcs --standard=phpcs.xml --report=summary || true
+            echo "$PHP_FILES" | tr '\n' '\0' | xargs -0 phpcs --standard=phpcs.xml --report=summary || true
        fi
    else
        echo "  No PHP files to check"