Skip to content

Commit 3fc5d51

Browse files
iavclaude
andcommitted
(#9400 P1b) cli: utils-cli: replace eval with declare -g
eval "declare -g $name=\"$value\"" is equivalent to the safer declare -g "${name}=${value}" which avoids code injection risk. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent efb4c68 commit 3fc5d51

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

lib/functions/cli/utils-cli.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ function apply_cmdline_params_to_env() {
6565
if [[ -z "${!param_name+x}" ]] || [[ "${current_env_value}" != "${param_value}" ]]; then
6666
display_alert "Applying cmdline param" "'$param_name': '${current_env_value_desc}' --> '${param_value_desc}' ${__my_reason}" "cmdline"
6767
# use `declare -g` to make it global, we're in a function.
68-
eval "declare -g $param_name=\"$param_value\""
68+
declare -g "${param_name}=${param_value}"
6969
else
7070
# rpardini: strategic amount of spacing in log files show the kinda neuroticism that drives me.
7171
display_alert "Skip cmdline param" "'$param_name': already set to '${param_value_desc}' ${__my_reason}" "info"

0 commit comments

Comments
 (0)