From 83520712638d7422f56b7810f4d3dec0015dc93e Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 18 Jan 2026 11:04:46 +0000
Subject: [PATCH] feat: Fix shell injection vulnerability in fix_env.py

- Added `escape_val` helper to securely escape double quotes and backslashes when writing `.env` files.
- Prevents potential shell injection or syntax errors if the generated `.env` file is sourced.
- Standardized quote handling for `TOKEN` and `PROFILE` values.

This addresses a security risk where malicious or malformed values in `.env` could lead to command execution or configuration corruption.
---
 fix_env.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/fix_env.py b/fix_env.py
index 627f96d8..50dc9a5f 100644
--- a/fix_env.py
+++ b/fix_env.py
@@ -17,6 +17,12 @@ def clean_val(val):
         val = re.sub(r'^[\"\u201c\u201d\']|[\"\u201c\u201d\']$', '', val)
         return val
 
+    # Helper to escape value for shell
+    def escape_val(val):
+        if not val: return ""
+        # Escape backslashes first, then double quotes
+        return val.replace('\\', '\\\\').replace('"', '\\"')
+
     lines = content.splitlines()
     parsed = {}
     
@@ -50,7 +56,7 @@ def clean_val(val):
     if not real_profiles: real_profiles = profile_val
 
     # Write back with standard quotes
-    new_content = f'TOKEN="{real_token}"\nPROFILE="{real_profiles}"\n'
+    new_content = f'TOKEN="{escape_val(real_token)}"\nPROFILE="{escape_val(real_profiles)}"\n'
     
     with open('.env', 'w') as f:
         f.write(new_content)