security: harden shell JSON parsing with shared helper

Author: benvinegar

bin/baudbot

@@ -21,6 +21,9 @@ if [ -z "${BAUDBOT_ROOT:-}" ]; then
   BAUDBOT_ROOT="$(cd "$(dirname "$SCRIPT")/.." && pwd)"
 fi
 
+# shellcheck source=bin/lib/json-common.sh
+source "$BAUDBOT_ROOT/bin/lib/json-common.sh"
+
 # Colors (disabled if not a terminal)
 if [ -t 1 ]; then
   BOLD='\033[1m'
@@ -34,11 +37,15 @@ else
 fi
 
 version() {
-  if [ -f "$BAUDBOT_ROOT/package.json" ]; then
-    grep '"version"' "$BAUDBOT_ROOT/package.json" | head -1 | sed 's/.*: *"\(.*\)".*/\1/'
-  else
-    echo "unknown"
+  local package_json="$BAUDBOT_ROOT/package.json"
+  local pkg_version=""
+
+  if [ -f "$package_json" ]; then
+    pkg_version="$(json_get_string_or_empty "$package_json" "version")"
+    [ -n "$pkg_version" ] && echo "$pkg_version" && return 0
   fi
+
+  echo "unknown"
 }
 
 version_sha() {
@@ -73,7 +80,7 @@ version_sha() {
   # Runtime metadata fallback
   version_file="/home/${BAUDBOT_AGENT_USER:-baudbot_agent}/.pi/agent/baudbot-version.json"
   if [ -r "$version_file" ]; then
-    sha="$(grep -E '"sha"[[:space:]]*:' "$version_file" | head -1 | sed 's/.*"sha"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')"
+    sha="$(json_get_string_or_empty "$version_file" "sha")"
     [ -n "$sha" ] && echo "${sha:0:7}" && return 0
   fi
 
@@ -282,20 +289,25 @@ has_systemd() {
 print_deployed_version() {
   local agent_user="${BAUDBOT_AGENT_USER:-baudbot_agent}"
   local version_file="/home/$agent_user/.pi/agent/baudbot-version.json"
-  local version_json=""
   local short=""
   local sha=""
   local branch=""
   local deployed_at=""
   local line=""
 
   if [ -r "$version_file" ]; then
-    version_json="$(cat "$version_file" 2>/dev/null || true)"
+    short="$(json_get_string_or_empty "$version_file" "short")"
+    sha="$(json_get_string_or_empty "$version_file" "sha")"
+    branch="$(json_get_string_or_empty "$version_file" "branch")"
+    deployed_at="$(json_get_string_or_empty "$version_file" "deployed_at")"
   elif [ "$(id -u)" -eq 0 ] && id "$agent_user" >/dev/null 2>&1; then
-    version_json="$(sudo -u "$agent_user" cat "$version_file" 2>/dev/null || true)"
+    short="$(sudo -u "$agent_user" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "short" 2>/dev/null || true)"
+    sha="$(sudo -u "$agent_user" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "sha" 2>/dev/null || true)"
+    branch="$(sudo -u "$agent_user" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "branch" 2>/dev/null || true)"
+    deployed_at="$(sudo -u "$agent_user" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "deployed_at" 2>/dev/null || true)"
   fi
 
-  if [ -z "$version_json" ]; then
+  if [ -z "$short" ] && [ -z "$sha" ] && [ -z "$branch" ] && [ -z "$deployed_at" ]; then
     local release_target=""
     local release_sha=""
 
@@ -309,11 +321,6 @@ print_deployed_version() {
     return 0
   fi
 
-  short="$(printf '%s\n' "$version_json" | grep -E '"short"[[:space:]]*:' | head -1 | sed 's/.*"short"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')"
-  sha="$(printf '%s\n' "$version_json" | grep -E '"sha"[[:space:]]*:' | head -1 | sed 's/.*"sha"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')"
-  branch="$(printf '%s\n' "$version_json" | grep -E '"branch"[[:space:]]*:' | head -1 | sed 's/.*"branch"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')"
-  deployed_at="$(printf '%s\n' "$version_json" | grep -E '"deployed_at"[[:space:]]*:' | head -1 | sed 's/.*"deployed_at"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')"
-
   if [ -z "$short" ] && [ -n "$sha" ]; then
     short="${sha:0:7}"
   fi

bin/deploy.sh

@@ -18,6 +18,10 @@ BAUDBOT_SRC="${BAUDBOT_SRC:-$(cd "$(dirname "$0")/.." && pwd)}"
 BAUDBOT_HOME="${BAUDBOT_HOME:-/home/baudbot_agent}"
 AGENT_USER="baudbot_agent"
 DRY_RUN=0
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# shellcheck source=bin/lib/json-common.sh
+source "$SCRIPT_DIR/lib/json-common.sh"
 
 # Helper: run a command as baudbot_agent
 as_agent() {
@@ -385,9 +389,9 @@ if [ "$DRY_RUN" -eq 0 ]; then
     GIT_SHA_SHORT=$(cd "$BAUDBOT_SRC" && git rev-parse --short HEAD 2>/dev/null || echo "unknown")
     GIT_BRANCH=$(cd "$BAUDBOT_SRC" && git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "unknown")
   elif [ -f "$RELEASE_META_FILE" ]; then
-    GIT_SHA=$(grep '"sha"' "$RELEASE_META_FILE" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/' || true)
-    GIT_SHA_SHORT=$(grep '"short"' "$RELEASE_META_FILE" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/' || true)
-    GIT_BRANCH=$(grep '"branch"' "$RELEASE_META_FILE" | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/' || true)
+    GIT_SHA="$(json_get_string_or_empty "$RELEASE_META_FILE" "sha")"
+    GIT_SHA_SHORT="$(json_get_string_or_empty "$RELEASE_META_FILE" "short")"
+    GIT_BRANCH="$(json_get_string_or_empty "$RELEASE_META_FILE" "branch")"
   fi
 
   [ -n "$GIT_SHA" ] || GIT_SHA="unknown"

bin/lib/json-common.sh

@@ -0,0 +1,107 @@
+#!/bin/bash
+# Shared JSON parsing helpers for shell scripts.
+#
+# Return codes:
+#   0 => key found and value printed
+#   1 => JSON parsed, but key missing/non-string
+#   2 => JSON/file/tool error
+
+_json_filter='if (type == "object") and has($k) and (.[$k] | type == "string") then .[$k] else empty end'
+
+json_get_string() {
+  local file="$1"
+  local key="$2"
+
+  [ -n "$file" ] || return 2
+  [ -n "$key" ] || return 2
+  [ -r "$file" ] || return 2
+
+  if command -v jq >/dev/null 2>&1; then
+    jq -er --arg k "$key" "$_json_filter" "$file" 2>/dev/null
+    case "$?" in
+      0) return 0 ;;
+      1) return 1 ;;
+      *) return 2 ;;
+    esac
+  fi
+
+  if ! command -v python3 >/dev/null 2>&1; then
+    return 2
+  fi
+
+  python3 - "$file" "$key" <<'PY'
+import json
+import sys
+
+if len(sys.argv) != 3:
+    sys.exit(2)
+
+path = sys.argv[1]
+key = sys.argv[2]
+
+try:
+    with open(path, "r", encoding="utf-8") as f:
+        data = json.load(f)
+except Exception:
+    sys.exit(2)
+
+if not isinstance(data, dict):
+    sys.exit(1)
+
+value = data.get(key)
+if not isinstance(value, str):
+    sys.exit(1)
+
+sys.stdout.write(value)
+PY
+}
+
+json_get_string_stdin() {
+  local key="$1"
+
+  [ -n "$key" ] || return 2
+
+  if command -v jq >/dev/null 2>&1; then
+    jq -er --arg k "$key" "$_json_filter" 2>/dev/null
+    case "$?" in
+      0) return 0 ;;
+      1) return 1 ;;
+      *) return 2 ;;
+    esac
+  fi
+
+  if ! command -v python3 >/dev/null 2>&1; then
+    return 2
+  fi
+
+  python3 - "$key" <<'PY'
+import json
+import sys
+
+if len(sys.argv) != 2:
+    sys.exit(2)
+
+key = sys.argv[1]
+
+try:
+    data = json.load(sys.stdin)
+except Exception:
+    sys.exit(2)
+
+if not isinstance(data, dict):
+    sys.exit(1)
+
+value = data.get(key)
+if not isinstance(value, str):
+    sys.exit(1)
+
+sys.stdout.write(value)
+PY
+}
+
+json_get_string_or_empty() {
+  local file="$1"
+  local key="$2"
+
+  json_get_string "$file" "$key" 2>/dev/null || true
+}

bin/lib/json-common.test.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+# Tests for bin/lib/json-common.sh
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=bin/lib/json-common.sh
+source "$SCRIPT_DIR/json-common.sh"
+
+TOTAL=0
+PASSED=0
+FAILED=0
+
+run_test() {
+  local name="$1"
+  shift
+  local out
+
+  TOTAL=$((TOTAL + 1))
+  printf "  %-45s " "$name"
+
+  out="$(mktemp /tmp/baudbot-json-common-test-output.XXXXXX)"
+  if "$@" >"$out" 2>&1; then
+    echo "✓"
+    PASSED=$((PASSED + 1))
+  else
+    echo "✗ FAILED"
+    tail -40 "$out" | sed 's/^/    /'
+    FAILED=$((FAILED + 1))
+  fi
+  rm -f "$out"
+}
+
+test_parses_string_key_with_whitespace_variations() {
+  (
+    set -euo pipefail
+    local tmp file value
+    tmp="$(mktemp -d /tmp/baudbot-json-common-test.XXXXXX)"
+    trap 'rm -rf "$tmp"' EXIT
+
+    file="$tmp/meta.json"
+    cat > "$file" <<'EOF'
+{
+  "sha"   :    "abc123",
+  "short": "abc123",
+  "nested": { "x": 1 }
+}
+EOF
+
+    value="$(json_get_string "$file" "sha")"
+    [ "$value" = "abc123" ]
+  )
+}
+
+test_missing_key_returns_nonzero() {
+  (
+    set -euo pipefail
+    local tmp file
+    tmp="$(mktemp -d /tmp/baudbot-json-common-test.XXXXXX)"
+    trap 'rm -rf "$tmp"' EXIT
+
+    file="$tmp/meta.json"
+    printf '{"sha":"abc123"}\n' > "$file"
+
+    if json_get_string "$file" "branch" >/dev/null 2>&1; then
+      return 1
+    fi
+
+    [ -z "$(json_get_string_or_empty "$file" "branch")" ]
+  )
+}
+
+test_malformed_json_returns_nonzero() {
+  (
+    set -euo pipefail
+    local tmp file
+    tmp="$(mktemp -d /tmp/baudbot-json-common-test.XXXXXX)"
+    trap 'rm -rf "$tmp"' EXIT
+
+    file="$tmp/bad.json"
+    printf '{"sha": "abc123"\n' > "$file"
+
+    if json_get_string "$file" "sha" >/dev/null 2>&1; then
+      return 1
+    fi
+  )
+}
+
+test_stdin_parser_handles_whitespace() {
+  (
+    set -euo pipefail
+    local value
+
+    value="$(printf '{\n  "deployed_at" : "2026-02-21T20:00:00Z"\n}\n' | json_get_string_stdin "deployed_at")"
+    [ "$value" = "2026-02-21T20:00:00Z" ]
+  )
+}
+
+echo "=== json-common tests ==="
+echo ""
+
+run_test "parses string key with whitespace" test_parses_string_key_with_whitespace_variations
+run_test "missing key returns nonzero" test_missing_key_returns_nonzero
+run_test "malformed json returns nonzero" test_malformed_json_returns_nonzero
+run_test "stdin parser handles whitespace" test_stdin_parser_handles_whitespace
+
+echo ""
+echo "=== $PASSED/$TOTAL passed, $FAILED failed ==="
+
+if [ "$FAILED" -gt 0 ]; then
+  exit 1
+fi

bin/rollback-release.sh

@@ -41,6 +41,8 @@ EOF
 
 # shellcheck source=bin/lib/release-common.sh
 source "$SCRIPT_DIR/lib/release-common.sh"
+# shellcheck source=bin/lib/json-common.sh
+source "$SCRIPT_DIR/lib/json-common.sh"
 
 TARGET_SPEC="${1:-previous}"
 if [ "$#" -gt 0 ]; then
@@ -159,10 +161,10 @@ run_restart_and_health() {
   local expected_sha
   local deployed_sha
 
-  expected_sha=$(grep '"sha"' "$TARGET_RELEASE/baudbot-release.json" 2>/dev/null | head -1 | sed 's/.*: *"\([^"]*\)".*/\1/' || true)
+  expected_sha="$(json_get_string_or_empty "$TARGET_RELEASE/baudbot-release.json" "sha")"
   [ -n "$expected_sha" ] || expected_sha="$(basename "$TARGET_RELEASE")"
 
-  deployed_sha="$(sudo -u "$BAUDBOT_AGENT_USER" sh -c "grep '\"sha\"' '$version_file' 2>/dev/null | head -1 | sed 's/.*\"sha\"[[:space:]]*:[[:space:]]*\"\([^\"]*\)\".*/\1/'")"
+  deployed_sha="$(sudo -u "$BAUDBOT_AGENT_USER" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "sha" 2>/dev/null || true)"
 
   if [ -z "$deployed_sha" ]; then
     die "deployed version file missing or unreadable: $version_file"

bin/security-audit.sh

@@ -14,6 +14,11 @@ set -euo pipefail
 BAUDBOT_HOME="${BAUDBOT_HOME:-/home/baudbot_agent}"
 # Source repo — auto-detect from this script's location, or use env override
 BAUDBOT_SRC="${BAUDBOT_SRC:-$(cd "$(dirname "$0")/.." && pwd)}"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# shellcheck source=bin/lib/json-common.sh
+source "$SCRIPT_DIR/lib/json-common.sh"
+
 DEEP=0
 FIX=0
 for arg in "$@"; do
@@ -224,8 +229,10 @@ VERSION_FILE="$BAUDBOT_HOME/.pi/agent/baudbot-version.json"
 MANIFEST_FILE="$BAUDBOT_HOME/.pi/agent/baudbot-manifest.json"
 
 if [ -f "$VERSION_FILE" ]; then
-  deploy_sha=$(grep '"short"' "$VERSION_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "?")
-  deploy_ts=$(grep '"deployed_at"' "$VERSION_FILE" 2>/dev/null | sed 's/.*: *"\([^"]*\)".*/\1/' || echo "?")
+  deploy_sha="$(json_get_string_or_empty "$VERSION_FILE" "short")"
+  deploy_ts="$(json_get_string_or_empty "$VERSION_FILE" "deployed_at")"
+  [ -n "$deploy_sha" ] || deploy_sha="?"
+  [ -n "$deploy_ts" ] || deploy_ts="?"
   ok "Deployed version: $deploy_sha ($deploy_ts)"
 else
   finding "WARN" "No version stamp found — run deploy.sh" ""

bin/update-release.sh

@@ -58,6 +58,8 @@ die() {
 
 # shellcheck source=bin/lib/release-common.sh
 source "$SCRIPT_DIR/lib/release-common.sh"
+# shellcheck source=bin/lib/json-common.sh
+source "$SCRIPT_DIR/lib/json-common.sh"
 
 cleanup() {
   if [ -n "$CHECKOUT_DIR" ] && [ -d "$CHECKOUT_DIR" ]; then
@@ -305,7 +307,7 @@ run_restart_and_health() {
   local version_file="$BAUDBOT_AGENT_HOME/.pi/agent/baudbot-version.json"
   local deployed_sha
 
-  deployed_sha="$(sudo -u "$BAUDBOT_AGENT_USER" sh -c "grep '\"sha\"' '$version_file' 2>/dev/null | head -1 | sed 's/.*\"sha\"[[:space:]]*:[[:space:]]*\"\([^\"]*\)\".*/\1/'")"
+  deployed_sha="$(sudo -u "$BAUDBOT_AGENT_USER" sh -c "cat '$version_file' 2>/dev/null" | json_get_string_stdin "sha" 2>/dev/null || true)"
 
   if [ -z "$deployed_sha" ]; then
     die "deployed version file missing or unreadable: $version_file"

test/shell-scripts.test.mjs

@@ -31,4 +31,8 @@ describe("shell script test suites", () => {
     expect(() => runScript("bin/env.test.sh")).not.toThrow();
   });
 
+  it("json helper", () => {
+    expect(() => runScript("bin/lib/json-common.test.sh")).not.toThrow();
+  });
+
 });