security: harden regex escaping and variable expansion

muzahidul-opti · claude · muzahidul-opti · commit 5ea6602cdd82 · 2026-05-04T20:06:57.000+06:00
Additional security hardening for release skill:

1. Escape VERSION in sed regex:
   - Added regex metacharacter escaping for VERSION variable
   - Prevents unintended pattern matching if VERSION contains
     special characters like . + * ( ) [ ] etc.
   - Creates ESCAPED_VERSION before use in sed pattern

2. Properly quote PRERELEASE variable:
   - Replaced parameter expansion with explicit if/else
   - Ensures PRERELEASE is always properly quoted
   - Prevents word splitting or glob expansion issues

These changes address the medium-severity issues identified in
the security review.

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/.claude/skills/release/skill.sh b/.claude/skills/release/skill.sh
@@ -52,7 +52,9 @@ flutter packages pub publish || error "Publishing failed"
 success "Published to pub.dev!"
 
 # Extract CHANGELOG
-CHANGELOG_CONTENT=$(sed -n "/^## ${VERSION}\$/,/^## [0-9]/p" CHANGELOG.md | sed '1d;$d')
+# Escape VERSION for use in sed regex (prevent regex metacharacter interpretation)
+ESCAPED_VERSION=$(printf '%s\n' "$VERSION" | sed 's/[.[\*^$()+?{|]/\\&/g')
+CHANGELOG_CONTENT=$(sed -n "/^## ${ESCAPED_VERSION}\$/,/^## [0-9]/p" CHANGELOG.md | sed '1d;$d')
 [[ -z "$CHANGELOG_CONTENT" ]] && CHANGELOG_CONTENT="Release $VERSION\n\nSee CHANGELOG.md for details."
 
 RELEASE_NOTES="## $VERSION
@@ -61,12 +63,20 @@ $CHANGELOG_CONTENT"
 
 # Create GitHub release
 info "Creating GitHub draft release..."
-GH_RELEASE_URL=$(gh release create "v${VERSION}" \
-    --title "Release v${VERSION}" \
-    --notes "$RELEASE_NOTES" \
-    --target master \
-    --draft \
-    ${PRERELEASE:+$PRERELEASE})
+if [[ -n "$PRERELEASE" ]]; then
+    GH_RELEASE_URL=$(gh release create "v${VERSION}" \
+        --title "Release v${VERSION}" \
+        --notes "$RELEASE_NOTES" \
+        --target master \
+        --draft \
+        "$PRERELEASE")
+else
+    GH_RELEASE_URL=$(gh release create "v${VERSION}" \
+        --title "Release v${VERSION}" \
+        --notes "$RELEASE_NOTES" \
+        --target master \
+        --draft)
+fi
 
 success "GitHub draft release created!"
 
