From e11ef412f5f436dc87c3b3ca01c6194b7d7078dd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 8 Dec 2025 07:55:36 +0000 Subject: [PATCH] Add shell escaping for kubeContext in TemplateArgs Addressed code review feedback to properly quote the kubeContext value using shellescape.Quote() to prevent potential command injection if the context name contains spaces or special characters. Also added clearer comments explaining the string matching logic for existing flags. Co-authored-by: yxxhero <11087727+yxxhero@users.noreply.github.com> --- pkg/state/state.go | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/state/state.go b/pkg/state/state.go index dbf2a182..f3cb0887 100644 --- a/pkg/state/state.go +++ b/pkg/state/state.go @@ -20,6 +20,7 @@ import ( "text/template" "time" + shellescape "al.essio.dev/pkg/shellescape" "dario.cat/mergo" "github.com/Masterminds/semver/v3" "github.com/gofrs/flock" @@ -1433,12 +1434,17 @@ func (st *HelmState) processChartification(chartification *Chartify, release *Re } if kubeContext != "" { + // Build the template args with proper quoting for the kubeContext value + // Use shellescape to safely quote the context name in case it contains special characters + quotedContext := shellescape.Quote(kubeContext) if chartifyOpts.TemplateArgs == "" { - chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s --dry-run=server", kubeContext) + chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s --dry-run=server", quotedContext) } else { + // Only add --kube-context if not already present if !strings.Contains(chartifyOpts.TemplateArgs, "--kube-context") { - chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s %s", kubeContext, chartifyOpts.TemplateArgs) + chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s %s", quotedContext, chartifyOpts.TemplateArgs) } + // Add --dry-run if not already present if !strings.Contains(chartifyOpts.TemplateArgs, "--dry-run") { chartifyOpts.TemplateArgs += " --dry-run=server" }