From d2c40850bc65dca2f4c42c5ed7b8c4b6d5461b7a Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 6 Jun 2026 01:50:54 +0000
Subject: [PATCH] fix: Resolve Python code injection vulnerability in
 idstack-learnings-search

Co-authored-by: savvides <1580637+savvides@users.noreply.github.com>
---
 bin/idstack-learnings-search | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/idstack-learnings-search b/bin/idstack-learnings-search
index 94cc40f..172cdeb 100755
--- a/bin/idstack-learnings-search
+++ b/bin/idstack-learnings-search
@@ -40,10 +40,10 @@ if command -v python3 &>/dev/null; then
   python3 -c "
 import json, sys
 
-sources = '$SOURCES'.split()
-type_filter = '$TYPE'
-keyword = '$KEYWORD'.lower()
-limit = $LIMIT
+sources = sys.argv[1].split()
+type_filter = sys.argv[2]
+keyword = sys.argv[3].lower()
+limit = int(sys.argv[4])
 
 matches = []
 for src in sources:
@@ -69,7 +69,7 @@ for src in sources:
 # Local learnings first (take precedence), then global
 for m in matches[-limit:]:
     print(m)
-" 2>/dev/null || {
+" "$SOURCES" "$TYPE" "$KEYWORD" "$LIMIT" 2>/dev/null || {
   # Fallback: basic grep
   if [ -n "$KEYWORD" ]; then
     cat $SOURCES 2>/dev/null | grep -i "$KEYWORD" | tail -"$LIMIT"