From c338afdf1e3bfdb148b25fc1383e71e178a8ddfd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 17:14:34 +0000 Subject: [PATCH 1/2] Initial plan From 8a4afbdf0511cf98e4b949b2d825781f83d152d3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Feb 2026 17:16:04 +0000 Subject: [PATCH 2/2] Add shell injection protection for branch names in resolve-review command Co-authored-by: pontemonti <7850950+pontemonti@users.noreply.github.com> --- .claude/commands/resolve-review.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.claude/commands/resolve-review.md b/.claude/commands/resolve-review.md index 47c84c2..42cec03 100644 --- a/.claude/commands/resolve-review.md +++ b/.claude/commands/resolve-review.md @@ -157,12 +157,27 @@ For each issue marked "Agent Resolvable: Yes": 1. Push the fix branch to origin: ```bash cd .worktrees/pr--fixes - git push -u origin + git push -u origin "$FIX_BRANCH_NAME" ``` 2. Create a PR to merge fixes into the original PR branch: ```bash - gh pr create --base --head --title "fix: address code review comments for PR #" --body "$(cat <<'EOF' + # Validate that branch names are safe (alphanumerics, dot, slash, dash, underscore) + case "$ORIGINAL_PR_HEAD_BRANCH" in + (*[!A-Za-z0-9._/-]*|'') + echo "Error: ORIGINAL_PR_HEAD_BRANCH contains unsafe characters: $ORIGINAL_PR_HEAD_BRANCH" >&2 + exit 1 + ;; + esac + + case "$FIX_BRANCH_NAME" in + (*[!A-Za-z0-9._/-]*|'') + echo "Error: FIX_BRANCH_NAME contains unsafe characters: $FIX_BRANCH_NAME" >&2 + exit 1 + ;; + esac + + gh pr create --base "$ORIGINAL_PR_HEAD_BRANCH" --head "$FIX_BRANCH_NAME" --title "fix: address code review comments for PR #" --body "$(cat <<'EOF' ## Summary Addresses agent-resolvable code review comments from PR #.