From f76f5f38b41662555a42f945f9eb9e772d414286 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 23 May 2026 00:55:39 +0000
Subject: [PATCH] fix(idstack-status): mitigate code injection vulnerability
 via `$PROJECT_NAME`

Pass `$PROJECT_NAME` via environment variable and use `os.environ.get()` in the inline python script instead of direct interpolation to prevent execution of arbitrary python code.

Co-authored-by: savvides <1580637+savvides@users.noreply.github.com>
---
 bin/idstack-status | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/bin/idstack-status b/bin/idstack-status
index 4535cbd..435a325 100755
--- a/bin/idstack-status
+++ b/bin/idstack-status
@@ -60,8 +60,9 @@ if ! command -v python3 &>/dev/null; then
 fi
 
 if [ "$READINESS_ONLY" -eq 0 ]; then
+export PROJECT_NAME
 python3 -c "
-import json, sys
+import json, sys, os
 
 lines = open('$TIMELINE').readlines()[-200:]
 events = []
@@ -75,7 +76,8 @@ if not events:
     print('No valid timeline entries.')
     sys.exit(0)
 
-print(f'Project: $PROJECT_NAME')
+project_name = os.environ.get('PROJECT_NAME', 'unknown')
+print(f'Project: {project_name}')
 print()
 
 # Skills completed