From a9660bc48ee65ce93cc185e98fc71f61f70c9396 Mon Sep 17 00:00:00 2001
From: Sagar Patil <sagar.patil@stellar.org>
Date: Tue, 9 Jun 2026 19:51:14 -0700
Subject: [PATCH 1/2] Harden scripts against argument injection and malformed
 inputs

Addresses the findings from the vuln-hunt sweep against 820b478. The dominant
class was argument injection: untrusted CLI values (--rev, --image, --registry,
--tag) flowing into git/docker as positional args where a leading dash is
parsed as an option (e.g. --rev=--upload-pack=<cmd> -> RCE; --image=--privileged
-> full container caps).

Security fixes:
- common.reject_option_like(): central guard refusing values that begin with
  '-' before they reach a subprocess argv. A valid image ref, git ref, or tag
  never starts with '-'.
- repro_test.clone(): reject option-like repo/rev and pin --end-of-options
  before the git fetch positionals (the high-severity RCE vector).
- docker_inspect: guard image refs, manifest tag, and sources.
- git_remote.ls_remote: guard URL/refspecs and pin --end-of-options.
- Boundary guards on --image/--tag/--registry in smoke_test_image, repro_test,
  write_metadata, build_image, publish_manifests, publish_aliases.
- release_body: validate every metadata field (digest, arch, tag, rust_base_key)
  and --registry/--repo against safe charsets before interpolating them into the
  copy-paste verification shell block; refuse symlinked meta-*.json.
- validate_json.iter_json_files: skip *.json that resolve outside the repo tree
  (symlink-followed arbitrary-file read).

Robustness fixes:
- builds.load(): require a top-level JSON object (was AttributeError downstream).
- builds.split_entry(): require a string pin (was AttributeError on null/int).
- refresh: catch CalledProcessError from the docker digest lookup; only re-sort
  rust_versions when a pin was actually appended (no spurious reorder on no-op).

Adds focused tests for each guard; full suite passes (223), ruff clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 scripts/build_image.py              |  2 +
 scripts/lib/builds.py               | 14 ++++++-
 scripts/lib/common.py               | 22 +++++++++++
 scripts/lib/docker_inspect.py       |  7 +++-
 scripts/lib/git_remote.py           |  7 +++-
 scripts/publish_aliases.py          |  1 +
 scripts/publish_manifests.py        |  5 +++
 scripts/refresh.py                  | 17 +++++++--
 scripts/release_body.py             | 37 +++++++++++++++++++
 scripts/repro_test.py               | 20 +++++++++-
 scripts/smoke_test_image.py         |  3 ++
 scripts/validate_json.py            |  7 ++++
 scripts/write_metadata.py           |  5 +++
 tests/integration/test_refresh.py   | 31 ++++++++++++++++
 tests/unit/test_build_image.py      | 21 +++++++++++
 tests/unit/test_builds.py           | 13 +++++++
 tests/unit/test_common.py           | 17 +++++++++
 tests/unit/test_docker_inspect.py   | 27 ++++++++++++++
 tests/unit/test_git_remote.py       | 23 ++++++++++++
 tests/unit/test_release_body.py     | 57 +++++++++++++++++++++++++++++
 tests/unit/test_repro_test.py       | 23 ++++++++++++
 tests/unit/test_smoke_test_image.py | 26 +++++++++++++
 tests/unit/test_validate_json.py    | 17 +++++++++
 tests/unit/test_write_metadata.py   | 23 ++++++++++++
 24 files changed, 416 insertions(+), 9 deletions(-)

diff --git a/scripts/build_image.py b/scripts/build_image.py
index 5057a46..93aa1f8 100755
--- a/scripts/build_image.py
+++ b/scripts/build_image.py
@@ -31,6 +31,8 @@ def main(argv: list[str] | None = None) -> int:
     data = builds.load()
     rust_digest = args.rust_image_digest
     try:
+        if args.tag:
+            common.reject_option_like(args.tag, "--tag")
         builds.assert_pair_declared(
             data, args.stellar_cli_version, f"{args.rust_version}@{rust_digest}"
         )
diff --git a/scripts/lib/builds.py b/scripts/lib/builds.py
index 3d169a6..05d4697 100644
--- a/scripts/lib/builds.py
+++ b/scripts/lib/builds.py
@@ -20,7 +20,15 @@
 
 def load(path: Path | None = None) -> dict[str, Any]:
     target = path or DEFAULT_PATH
-    return json.loads(target.read_text())
+    data = json.loads(target.read_text())
+    if not isinstance(data, dict):
+        # Every caller treats the result as a mapping (data.get(...)); a JSON
+        # scalar/array would otherwise surface as an opaque AttributeError deep
+        # in an unrelated call. Fail here with a message naming the file.
+        raise ValueError(
+            f"{target} must contain a JSON object at the top level, got {type(data).__name__}"
+        )
+    return data
 
 
 def dump(data: dict[str, Any], path: Path | None = None) -> None:
@@ -59,6 +67,10 @@ def split_entry(pin: str) -> tuple[str, str]:
     `rust:<label>` base and the published tag's `rust<label>` segment;
     the digest pins the exact base bytes.
     """
+    if not isinstance(pin, str):
+        raise ValueError(
+            f"rust base pin must be a string (expected <label>@<digest>), got {type(pin).__name__}"
+        )
     label, sep, digest = pin.partition("@")
     if not sep or not digest:
         raise ValueError(f"invalid rust base pin (expected <label>@<digest>): {pin}")
diff --git a/scripts/lib/common.py b/scripts/lib/common.py
index 3034946..7034af4 100644
--- a/scripts/lib/common.py
+++ b/scripts/lib/common.py
@@ -32,6 +32,28 @@ def repo_root() -> Path:
     return REPO_ROOT
 
 
+def reject_option_like(value: str, name: str) -> str:
+    """Refuse a value that a child process would parse as a command-line option.
+
+    Values that reach a subprocess argv as positionals — image references, git
+    refs, git remote URLs, tags — must not begin with ``-``. Both ``git`` and
+    ``docker`` permute their argv and treat any ``-``-prefixed token as a flag
+    wherever it appears, so an attacker-influenced value like
+    ``--upload-pack=<cmd>`` or ``--privileged`` is interpreted as an injected
+    option rather than data (argument injection, up to arbitrary command
+    execution). A valid image reference, git refname, or tag never starts with
+    ``-``, so rejecting that prefix loses no legitimate input.
+
+    Returns the value unchanged when it is safe, so callers can guard inline.
+    """
+    if value.startswith("-"):
+        raise ValueError(
+            f"{name} must not begin with '-' (got {value!r}): "
+            "a leading dash would be parsed as a command-line option"
+        )
+    return value
+
+
 def step_summary(message: str) -> None:
     """Append a markdown block to the GitHub Actions step summary.
 
diff --git a/scripts/lib/docker_inspect.py b/scripts/lib/docker_inspect.py
index e7b7cc2..11f3409 100644
--- a/scripts/lib/docker_inspect.py
+++ b/scripts/lib/docker_inspect.py
@@ -7,12 +7,13 @@
 
 import re
 
-from lib import runner
+from lib import common, runner
 
 _DIGEST = re.compile(r"sha256:[0-9a-f]{64}")
 
 
 def index_digest(image_ref: str) -> str:
+    common.reject_option_like(image_ref, "image reference")
     # `--format '{{.Manifest.Digest}}'` targets the top-level (index)
     # descriptor's digest. Some buildx releases print the bare digest while
     # others dump the whole descriptor struct, but the descriptor only ever
@@ -28,6 +29,7 @@ def index_digest(image_ref: str) -> str:
 
 
 def exists(image_ref: str) -> bool:
+    common.reject_option_like(image_ref, "image reference")
     result = runner.run(
         ["docker", "buildx", "imagetools", "inspect", image_ref],
         check=False,
@@ -39,4 +41,7 @@ def exists(image_ref: str) -> bool:
 def create_manifest(tag: str, *sources: str) -> None:
     if not sources:
         raise ValueError("create_manifest requires at least one source image")
+    common.reject_option_like(tag, "manifest tag")
+    for source in sources:
+        common.reject_option_like(source, "source image")
     runner.run(["docker", "buildx", "imagetools", "create", "--tag", tag, *sources])
diff --git a/scripts/lib/git_remote.py b/scripts/lib/git_remote.py
index 30e4448..9b71cd4 100644
--- a/scripts/lib/git_remote.py
+++ b/scripts/lib/git_remote.py
@@ -4,11 +4,14 @@
 can patch one symbol per script.
 """
 
-from lib import runner
+from lib import common, runner
 
 
 def ls_remote(repo_url: str, *refspecs: str) -> str:
-    return runner.capture(["git", "ls-remote", repo_url, *refspecs])
+    common.reject_option_like(repo_url, "git remote URL")
+    for refspec in refspecs:
+        common.reject_option_like(refspec, "git refspec")
+    return runner.capture(["git", "ls-remote", "--end-of-options", repo_url, *refspecs])
 
 
 def resolve_tag_commit(repo_url: str, tag: str) -> str | None:
diff --git a/scripts/publish_aliases.py b/scripts/publish_aliases.py
index 2bc357e..35743a0 100755
--- a/scripts/publish_aliases.py
+++ b/scripts/publish_aliases.py
@@ -41,6 +41,7 @@ def main(argv: list[str] | None = None) -> int:
 
     data = builds.load()
     try:
+        common.reject_option_like(args.registry, "--registry")
         default_pin = builds.derive_default_rust(data, args.stellar_cli_version)
         default_rust = builds.label_of(default_pin)
     except ValueError as exc:
diff --git a/scripts/publish_manifests.py b/scripts/publish_manifests.py
index f9ad5a2..b85f7a1 100755
--- a/scripts/publish_manifests.py
+++ b/scripts/publish_manifests.py
@@ -44,6 +44,11 @@ def main(argv: list[str] | None = None) -> int:
     args = build_parser().parse_args(argv)
     common.preflight_checks(["buildx"])
 
+    try:
+        common.reject_option_like(args.registry, "--registry")
+    except ValueError as exc:
+        common.die(str(exc))
+
     data = builds.load()
     entry = builds.find_cli(data, args.stellar_cli_version)
     if entry is None:
diff --git a/scripts/refresh.py b/scripts/refresh.py
index f329cb1..f1a8452 100644
--- a/scripts/refresh.py
+++ b/scripts/refresh.py
@@ -20,6 +20,7 @@
 
 import argparse
 import re
+import subprocess
 import sys
 from collections.abc import Iterable
 
@@ -91,9 +92,14 @@ def append_pins(entry: dict, labels: Iterable[str]) -> bool:
         common.log(f"  -> appending {pin}")
         entry["rust_versions"].append(pin)
         changed = True
-    entry["rust_versions"].sort(
-        key=lambda p: semver.parse(rust_keys.version_of(builds.label_of(p)))
-    )
+    # Only re-sort when we actually appended. Sorting unconditionally would
+    # rewrite (and, via the caller's os.replace(), commit) a reordering of
+    # already-published pins even on a no-op refresh, making release-prepare
+    # see a spurious change.
+    if changed:
+        entry["rust_versions"].sort(
+            key=lambda p: semver.parse(rust_keys.version_of(builds.label_of(p)))
+        )
     return changed
 
 
@@ -143,6 +149,11 @@ def main(argv: list[str] | None = None) -> int:
         data["stellar_cli_versions"].sort(key=lambda e: semver.parse(e["version"]))
     except ValueError as exc:
         common.die(str(exc))
+    except subprocess.CalledProcessError as exc:
+        # `docker buildx imagetools inspect rust:<label>` exits non-zero for an
+        # unknown/typo'd label (e.g. from --rust-versions). Report it cleanly
+        # instead of letting the CalledProcessError escape as a traceback.
+        common.die(f"failed to resolve a rust base digest via docker: {exc}")
     except OSError as exc:
         # Network failure from the Docker Hub tag lookup (urllib raises
         # URLError, an OSError) or a filesystem error.
diff --git a/scripts/release_body.py b/scripts/release_body.py
index fe81113..ffc24b1 100755
--- a/scripts/release_body.py
+++ b/scripts/release_body.py
@@ -9,11 +9,29 @@
 import argparse
 import io
 import json
+import re
 import sys
 from pathlib import Path
 
 from lib import builds, common, semver
 
+# The release body interpolates these metadata fields verbatim into a
+# copy-paste-runnable ```sh``` verification block. Constrain each to a charset
+# that can't smuggle shell metacharacters (e.g. $(...), backticks, ';'), so a
+# malformed/hostile meta-*.json can't plant a command in the published body.
+_DIGEST_RE = re.compile(r"^sha256:[0-9a-f]{64}$")
+_ARCH_RE = re.compile(r"^[a-z0-9]+$")
+_TAG_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._-]*$")
+# A registry ref / repo slug as it appears in the verify commands.
+_REF_RE = re.compile(r"^[A-Za-z0-9][A-Za-z0-9._/:-]*$")
+
+_ROW_FIELD_RE = {
+    "digest": _DIGEST_RE,
+    "arch": _ARCH_RE,
+    "tag": _TAG_RE,
+    "rust_base_key": _TAG_RE,
+}
+
 
 def load_metadata(metadata_dir: Path, expected_cli: str) -> list[dict]:
     files = sorted(metadata_dir.glob("meta-*.json"))
@@ -21,6 +39,10 @@ def load_metadata(metadata_dir: Path, expected_cli: str) -> list[dict]:
         raise ValueError(f"no meta-*.json files under {metadata_dir}")
     rows: list[dict] = []
     for f in files:
+        # A symlinked meta-*.json could resolve to an arbitrary file outside the
+        # metadata dir; only read regular files we can vouch for.
+        if f.is_symlink():
+            raise ValueError(f"metadata file {f} is a symlink; refusing to follow it")
         row = json.loads(f.read_text())
         entry_cli = row.get("stellar_cli_version") or ""
         if not entry_cli:
@@ -30,6 +52,15 @@ def load_metadata(metadata_dir: Path, expected_cli: str) -> list[dict]:
                 f"metadata file {f} has stellar_cli_version='{entry_cli}', "
                 f"expected '{expected_cli}'"
             )
+        for field, pattern in _ROW_FIELD_RE.items():
+            value = row.get(field)
+            if not isinstance(value, str) or not pattern.match(value):
+                raise ValueError(
+                    f"metadata file {f} has invalid {field}={value!r}; "
+                    f"expected to match {pattern.pattern}"
+                )
+        if "rust_version" not in row:
+            raise ValueError(f"metadata file {f} is missing the rust_version field")
         rows.append(row)
     rows.sort(key=lambda r: (semver.parse(r["rust_version"]), r["rust_base_key"], r["arch"]))
     return rows
@@ -136,6 +167,12 @@ def main(argv: list[str] | None = None) -> int:
     if not metadata_dir.is_dir():
         common.die(f"{metadata_dir} is not a directory")
 
+    # registry and repo are interpolated into the verification shell block too.
+    if not _REF_RE.match(args.registry):
+        common.die(f"--registry {args.registry!r} has unexpected characters")
+    if not _REF_RE.match(args.repo):
+        common.die(f"--repo {args.repo!r} has unexpected characters")
+
     try:
         rows = load_metadata(metadata_dir, args.stellar_cli_version)
         stellar_ref = builds.stellar_cli_ref(builds.load(), args.stellar_cli_version)
diff --git a/scripts/repro_test.py b/scripts/repro_test.py
index b9db093..c8c978f 100755
--- a/scripts/repro_test.py
+++ b/scripts/repro_test.py
@@ -100,10 +100,19 @@ def test_one_contract(image: str, workdir: Path, name: str) -> bool:
 
 
 def clone(repo: str, rev: str, workdir: Path) -> None:
+    # Both values are untrusted CLI input. git permutes its argv and treats any
+    # '-'-prefixed token as an option wherever it sits, so a rev like
+    # '--upload-pack=<cmd>' (with a file:// repo) would run an arbitrary binary.
+    # Reject the dash prefix and pin '--end-of-options' before the positionals
+    # so git can never reinterpret them as flags.
+    common.reject_option_like(repo, "repo URL")
+    common.reject_option_like(rev, "rev")
     common.log(f"cloning {repo} @ {rev} into {workdir} ...")
     runner.run(["git", "-C", str(workdir), "init", "-q"])
-    runner.run(["git", "-C", str(workdir), "remote", "add", "origin", repo])
-    runner.run(["git", "-C", str(workdir), "fetch", "--depth=1", "origin", rev, "-q"])
+    runner.run(["git", "-C", str(workdir), "remote", "add", "--", "origin", repo])
+    runner.run(
+        ["git", "-C", str(workdir), "fetch", "--depth=1", "-q", "--end-of-options", "origin", rev]
+    )
     runner.run(["git", "-C", str(workdir), "checkout", "-q", "FETCH_HEAD"])
 
 
@@ -123,6 +132,13 @@ def main(argv: list[str] | None = None) -> int:
     args = build_parser().parse_args(argv)
     common.preflight_checks(["git", "buildx"])
 
+    try:
+        common.reject_option_like(args.image, "--image")
+        common.reject_option_like(args.repo, "--repo")
+        common.reject_option_like(args.rev, "--rev")
+    except ValueError as exc:
+        common.die(str(exc))
+
     contracts = args.contracts or list(DEFAULT_CONTRACTS)
     workdir = Path(tempfile.mkdtemp(prefix="repro-test."))
     atexit.register(make_cleanup(workdir, args.keep_workdir))
diff --git a/scripts/smoke_test_image.py b/scripts/smoke_test_image.py
index 7f08bc7..e2b2128 100755
--- a/scripts/smoke_test_image.py
+++ b/scripts/smoke_test_image.py
@@ -84,6 +84,9 @@ def main(argv: list[str] | None = None) -> int:
 
     data = builds.load()
     try:
+        # args.image is fed to `docker run`/`docker inspect` as a positional; a
+        # value like '--privileged' would otherwise be parsed as a docker flag.
+        common.reject_option_like(args.image, "--image")
         parsed = rust_keys.parse(args.rust_version)
         stellar_ref = builds.stellar_cli_ref(data, args.stellar_cli_version)
     except ValueError as exc:
diff --git a/scripts/validate_json.py b/scripts/validate_json.py
index 8e12a35..42465cb 100755
--- a/scripts/validate_json.py
+++ b/scripts/validate_json.py
@@ -20,9 +20,16 @@
 
 
 def iter_json_files(root: Path):
+    root_resolved = root.resolve()
     for path in sorted(root.rglob("*.json")):
         if any(part in EXCLUDED_DIRS for part in path.relative_to(root).parts):
             continue
+        # Don't follow symlinks out of the repo: a symlinked *.json (or a file
+        # reached through a symlinked directory) could resolve anywhere on
+        # disk, turning this repo lint into an arbitrary-file read. Skip any
+        # path whose real location escapes the repo tree.
+        if not path.resolve().is_relative_to(root_resolved):
+            continue
         yield path
 
 
diff --git a/scripts/write_metadata.py b/scripts/write_metadata.py
index 2345142..5e61b04 100755
--- a/scripts/write_metadata.py
+++ b/scripts/write_metadata.py
@@ -38,6 +38,11 @@ def build_parser() -> argparse.ArgumentParser:
 def main(argv: list[str] | None = None) -> int:
     args = build_parser().parse_args(argv)
 
+    try:
+        common.reject_option_like(args.image, "--image")
+    except ValueError as exc:
+        common.die(str(exc))
+
     digest = args.digest
     if not digest:
         try:
diff --git a/tests/integration/test_refresh.py b/tests/integration/test_refresh.py
index c3dd7af..eec3492 100644
--- a/tests/integration/test_refresh.py
+++ b/tests/integration/test_refresh.py
@@ -1,4 +1,5 @@
 import json
+import subprocess
 from pathlib import Path
 
 import pytest
@@ -175,6 +176,36 @@ def test_unresolvable_tag_dies(monkeypatch: pytest.MonkeyPatch, staged_minimal:
         refresh.main(["--stellar-cli-version", "27.0.0", "--rust-versions", "1.95.0-slim-trixie"])
 
 
+def test_docker_failure_dies_cleanly(
+    monkeypatch: pytest.MonkeyPatch, staged_minimal: Path, capsys: pytest.CaptureFixture[str]
+) -> None:
+    # An unknown/typo'd --rust-versions label makes `docker buildx imagetools
+    # inspect` exit non-zero; the CalledProcessError must be reported via die(),
+    # not escape as an unhandled traceback.
+    _no_git(monkeypatch)
+
+    def boom(ref: str) -> str:
+        raise subprocess.CalledProcessError(1, ["docker", "buildx", "imagetools", "inspect", ref])
+
+    monkeypatch.setattr(refresh.docker_inspect, "index_digest", boom)
+    with pytest.raises(SystemExit):
+        refresh.main(["--stellar-cli-version", "26.0.0", "--rust-versions", "nonsuch-label"])
+    assert "docker" in capsys.readouterr().err
+
+
+def test_append_pins_preserves_order_on_noop() -> None:
+    # When no new pin is appended, the existing (possibly published) order must
+    # not be silently re-sorted — that would surface as a spurious change.
+    pin_a = "1.95.0-slim-trixie@sha256:" + "a" * 64
+    pin_b = "1.94.0-slim-trixie@sha256:" + "b" * 64
+    entry = {"rust_versions": [pin_a, pin_b]}  # deliberately not version-sorted
+
+    # All requested labels already present (by exact pin) → no append.
+    changed = refresh.append_pins(entry, [])
+    assert changed is False
+    assert entry["rust_versions"] == [pin_a, pin_b]
+
+
 def test_auto_picks_when_no_rust_versions(
     monkeypatch: pytest.MonkeyPatch, staged_minimal: Path, fixtures_dir: Path
 ) -> None:
diff --git a/tests/unit/test_build_image.py b/tests/unit/test_build_image.py
index 78ffd05..034d039 100644
--- a/tests/unit/test_build_image.py
+++ b/tests/unit/test_build_image.py
@@ -43,6 +43,27 @@ def test_main_invokes_docker_with_build_args(
     assert f"RUST_IMAGE_DIGEST={DIGEST}" in args
 
 
+def test_main_rejects_option_like_tag(
+    monkeypatch: pytest.MonkeyPatch, minimal_builds: dict, capsys: pytest.CaptureFixture[str]
+) -> None:
+    monkeypatch.setattr(build_image.builds, "load", lambda: minimal_builds)
+    monkeypatch.setattr(build_image.common, "preflight_checks", lambda _: None)
+    monkeypatch.setattr(build_image.runner, "run", lambda *_, **__: pytest.fail("ran docker"))
+    with pytest.raises(SystemExit):
+        build_image.main(
+            [
+                "--stellar-cli-version",
+                "26.0.0",
+                "--rust-version",
+                "1.94.0-slim-trixie",
+                "--rust-image-digest",
+                DIGEST,
+                "--tag=--push",  # would reach `docker buildx build` as a flag
+            ]
+        )
+    assert "must not begin with '-'" in capsys.readouterr().err
+
+
 def test_main_respects_platform_flag(monkeypatch: pytest.MonkeyPatch, minimal_builds: dict) -> None:
     monkeypatch.setattr(build_image.builds, "load", lambda: minimal_builds)
     monkeypatch.setattr(build_image.common, "preflight_checks", lambda _: None)
diff --git a/tests/unit/test_builds.py b/tests/unit/test_builds.py
index eff3654..a2474af 100644
--- a/tests/unit/test_builds.py
+++ b/tests/unit/test_builds.py
@@ -11,6 +11,19 @@ def test_load_default_path() -> None:
     assert "stellar_cli_versions" in data
 
 
+def test_load_rejects_non_dict_json(tmp_path: Path) -> None:
+    bad = tmp_path / "list.json"
+    bad.write_text("[1, 2, 3]")
+    with pytest.raises(ValueError, match="must contain a JSON object"):
+        builds.load(bad)
+
+
+@pytest.mark.parametrize("pin", [None, 42, ["a"], {"x": 1}])
+def test_split_entry_rejects_non_string(pin: object) -> None:
+    with pytest.raises(ValueError, match="must be a string"):
+        builds.split_entry(pin)  # type: ignore[arg-type]
+
+
 def test_load_explicit_path(fixtures_dir: Path) -> None:
     data = builds.load(fixtures_dir / "builds_minimal.json")
     assert data["default_distro"] == "trixie"
diff --git a/tests/unit/test_common.py b/tests/unit/test_common.py
index 9cb8984..eb71cae 100644
--- a/tests/unit/test_common.py
+++ b/tests/unit/test_common.py
@@ -86,3 +86,20 @@ def test_sha256_of_streams_large_files(tmp_path: Path) -> None:
     payload = b"x" * (256 * 1024)
     f.write_bytes(payload)
     assert common.sha256_of(f) == hashlib.sha256(payload).hexdigest()
+
+
+def test_reject_option_like_returns_safe_value() -> None:
+    ref = "rust:1.94.0-slim-trixie"
+    assert common.reject_option_like(ref, "image") == ref
+    assert common.reject_option_like("docker.io/stellar/stellar-cli:26.0.0", "image").startswith(
+        "docker.io"
+    )
+
+
+@pytest.mark.parametrize(
+    "value",
+    ["--privileged", "--upload-pack=touch /tmp/x", "-it", "--rm"],
+)
+def test_reject_option_like_rejects_leading_dash(value: str) -> None:
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        common.reject_option_like(value, "image")
diff --git a/tests/unit/test_docker_inspect.py b/tests/unit/test_docker_inspect.py
index 5587f2d..be45238 100644
--- a/tests/unit/test_docker_inspect.py
+++ b/tests/unit/test_docker_inspect.py
@@ -69,3 +69,30 @@ def test_create_manifest_invokes_docker(monkeypatch: pytest.MonkeyPatch) -> None
 def test_create_manifest_requires_sources() -> None:
     with pytest.raises(ValueError, match="at least one"):
         docker_inspect.create_manifest("tag")
+
+
+def test_index_digest_rejects_option_like_ref(monkeypatch: pytest.MonkeyPatch) -> None:
+    # Guard runs before any subprocess; capture must never be reached.
+    monkeypatch.setattr(
+        docker_inspect.runner, "capture", lambda *_, **__: pytest.fail("ran docker")
+    )
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        docker_inspect.index_digest("--config=/tmp/evil")
+
+
+def test_exists_rejects_option_like_ref(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(docker_inspect.runner, "run", lambda *_, **__: pytest.fail("ran docker"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        docker_inspect.exists("--privileged")
+
+
+def test_create_manifest_rejects_option_like_tag(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(docker_inspect.runner, "run", lambda *_, **__: pytest.fail("ran docker"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        docker_inspect.create_manifest("--output=/tmp/x", "src1")
+
+
+def test_create_manifest_rejects_option_like_source(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(docker_inspect.runner, "run", lambda *_, **__: pytest.fail("ran docker"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        docker_inspect.create_manifest("tag", "good-src", "--privileged")
diff --git a/tests/unit/test_git_remote.py b/tests/unit/test_git_remote.py
index 80d50e4..ed4893b 100644
--- a/tests/unit/test_git_remote.py
+++ b/tests/unit/test_git_remote.py
@@ -3,6 +3,29 @@
 from lib import git_remote
 
 
+def test_ls_remote_pins_end_of_options(monkeypatch: pytest.MonkeyPatch) -> None:
+    captured: list[list[str]] = []
+    monkeypatch.setattr(git_remote.runner, "capture", lambda cmd: captured.append(cmd) or "")
+    git_remote.ls_remote("https://example.com/repo.git", "refs/tags/v26.0.0")
+    cmd = captured[0]
+    # --end-of-options must sit before the (untrusted) URL and refspecs so git
+    # can't reinterpret them as flags.
+    assert "--end-of-options" in cmd
+    assert cmd.index("--end-of-options") < cmd.index("https://example.com/repo.git")
+
+
+def test_ls_remote_rejects_option_like_url(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(git_remote.runner, "capture", lambda *_: pytest.fail("ran git"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        git_remote.ls_remote("--upload-pack=touch /tmp/x", "refs/tags/v1")
+
+
+def test_ls_remote_rejects_option_like_refspec(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(git_remote.runner, "capture", lambda *_: pytest.fail("ran git"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        git_remote.ls_remote("https://example.com/repo.git", "--exec=evil")
+
+
 def test_resolve_tag_commit_prefers_peeled_annotated(monkeypatch: pytest.MonkeyPatch) -> None:
     output = (
         "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\trefs/tags/v26.0.0\n"
diff --git a/tests/unit/test_release_body.py b/tests/unit/test_release_body.py
index 543554e..46a60e6 100644
--- a/tests/unit/test_release_body.py
+++ b/tests/unit/test_release_body.py
@@ -19,6 +19,63 @@ def test_load_metadata_empty_dir_raises(tmp_path: Path) -> None:
         release_body.load_metadata(tmp_path, "26.0.0")
 
 
+def test_load_metadata_rejects_shell_metachars_in_digest(
+    tmp_path: Path, fixtures_dir: Path
+) -> None:
+    import json
+
+    row = json.loads((fixtures_dir / "meta_amd64.json").read_text())
+    # A digest carrying a command substitution would otherwise be interpolated
+    # verbatim into the copy-paste verification shell block.
+    row["digest"] = "sha256:$(touch /tmp/pwned)"
+    (tmp_path / "meta-evil.json").write_text(json.dumps(row))
+    with pytest.raises(ValueError, match="invalid digest"):
+        release_body.load_metadata(tmp_path, "26.0.0")
+
+
+def test_load_metadata_rejects_empty_arch(tmp_path: Path, fixtures_dir: Path) -> None:
+    import json
+
+    row = json.loads((fixtures_dir / "meta_amd64.json").read_text())
+    row["arch"] = ""  # empty arch made list_tag a no-op -> duplicate sections
+    (tmp_path / "meta-x.json").write_text(json.dumps(row))
+    with pytest.raises(ValueError, match="invalid arch"):
+        release_body.load_metadata(tmp_path, "26.0.0")
+
+
+def test_load_metadata_rejects_symlinked_file(tmp_path: Path, fixtures_dir: Path) -> None:
+    outside = tmp_path / "outside.json"
+    outside.write_text((fixtures_dir / "meta_amd64.json").read_text())
+    metadir = tmp_path / "meta"
+    metadir.mkdir()
+    (metadir / "meta-link.json").symlink_to(outside)
+    with pytest.raises(ValueError, match="symlink"):
+        release_body.load_metadata(metadir, "26.0.0")
+
+
+@pytest.mark.parametrize("flag", ["--registry", "--repo"])
+def test_main_rejects_unsafe_ref_args(
+    flag: str,
+    monkeypatch: pytest.MonkeyPatch,
+    tmp_path: Path,
+    fixtures_dir: Path,
+    minimal_builds: dict,
+) -> None:
+    shutil.copy(fixtures_dir / "meta_amd64.json", tmp_path / "meta-amd64.json")
+    monkeypatch.setattr(release_body.builds, "load", lambda: minimal_builds)
+    with pytest.raises(SystemExit):
+        release_body.main(
+            [
+                "--stellar-cli-version",
+                "26.0.0",
+                "--metadata-dir",
+                str(tmp_path),
+                flag,
+                "evil;$(id)",
+            ]
+        )
+
+
 def test_load_metadata_rejects_mismatched_cli(tmp_path: Path, fixtures_dir: Path) -> None:
     shutil.copy(fixtures_dir / "meta_amd64.json", tmp_path / "meta-x.json")
     with pytest.raises(ValueError, match=r"expected '99\.0\.0'"):
diff --git a/tests/unit/test_repro_test.py b/tests/unit/test_repro_test.py
index 3d4f466..f459c70 100644
--- a/tests/unit/test_repro_test.py
+++ b/tests/unit/test_repro_test.py
@@ -5,6 +5,29 @@
 import repro_test
 
 
+def test_clone_rejects_option_like_rev(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    # The classic argument-injection vector: --rev '--upload-pack=<cmd>'.
+    monkeypatch.setattr(repro_test.runner, "run", lambda *_, **__: pytest.fail("ran git"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        repro_test.clone("https://example.com/repo.git", "--upload-pack=touch /tmp/x", tmp_path)
+
+
+def test_clone_rejects_option_like_repo(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    monkeypatch.setattr(repro_test.runner, "run", lambda *_, **__: pytest.fail("ran git"))
+    with pytest.raises(ValueError, match="must not begin with '-'"):
+        repro_test.clone("--config=core.foo=bar", "main", tmp_path)
+
+
+def test_clone_fetch_pins_end_of_options(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> None:
+    cmds: list[list[str]] = []
+    monkeypatch.setattr(repro_test.runner, "run", lambda cmd, **__: cmds.append(cmd))
+    repro_test.clone("https://example.com/repo.git", "main", tmp_path)
+    fetch = next(c for c in cmds if "fetch" in c)
+    assert "--end-of-options" in fetch
+    # rev sits after --end-of-options, so it can never be parsed as a flag.
+    assert fetch.index("--end-of-options") < fetch.index("main")
+
+
 def test_assert_sha256_accepts_valid() -> None:
     assert repro_test.assert_sha256("a" * 64, "build A") is True
 
diff --git a/tests/unit/test_smoke_test_image.py b/tests/unit/test_smoke_test_image.py
index 8cb42f5..ffd3eba 100644
--- a/tests/unit/test_smoke_test_image.py
+++ b/tests/unit/test_smoke_test_image.py
@@ -108,6 +108,32 @@ def test_main_threads_pinned_digest(monkeypatch: pytest.MonkeyPatch, minimal_bui
     assert seen["rust_base_suffix"] == "slim-trixie"
 
 
+def test_main_rejects_option_like_image(
+    monkeypatch: pytest.MonkeyPatch, minimal_builds: dict, capsys: pytest.CaptureFixture[str]
+) -> None:
+    monkeypatch.setattr(smoke_test_image.common, "preflight_checks", lambda _: None)
+    monkeypatch.setattr(smoke_test_image.builds, "load", lambda: minimal_builds)
+    # No docker check should run; an image of '--privileged' would be parsed as
+    # a docker flag, so main() must die before reaching any runner call.
+    monkeypatch.setattr(
+        smoke_test_image.runner, "capture", lambda *_, **__: pytest.fail("ran docker")
+    )
+    monkeypatch.setattr(smoke_test_image.runner, "run", lambda *_, **__: pytest.fail("ran docker"))
+    with pytest.raises(SystemExit):
+        smoke_test_image.main(
+            [
+                "--image=--privileged",  # single token: argparse accepts the '--privileged' value
+                "--stellar-cli-version",
+                "26.0.0",
+                "--rust-version",
+                "1.94.0-slim-trixie",
+                "--rust-image-digest",
+                "sha256:" + "a" * 64,
+            ]
+        )
+    assert "must not begin with '-'" in capsys.readouterr().err
+
+
 def test_check_labels_detects_drifted_digest(
     monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str]
 ) -> None:
diff --git a/tests/unit/test_validate_json.py b/tests/unit/test_validate_json.py
index a19e47f..548b679 100644
--- a/tests/unit/test_validate_json.py
+++ b/tests/unit/test_validate_json.py
@@ -75,6 +75,23 @@ def test_iter_json_files_excludes_well_known_dirs(tmp_path: Path) -> None:
     assert found == {"a.json"}
 
 
+def test_iter_json_files_skips_symlinks_out_of_tree(tmp_path: Path) -> None:
+    # A *.json symlink that resolves outside the repo must not be read — that
+    # would turn this lint into an arbitrary-file read.
+    outside = tmp_path / "outside"
+    outside.mkdir()
+    secret = outside / "secret.json"
+    secret.write_text('{"z": 1, "a": 2}')  # unsorted: would fail the lint if read
+
+    repo = tmp_path / "repo"
+    repo.mkdir()
+    (repo / "real.json").write_text("{}")
+    (repo / "evil.json").symlink_to(secret)
+
+    found = {p.name for p in validate_json.iter_json_files(repo)}
+    assert found == {"real.json"}
+
+
 def test_main_passes_on_real_repo(monkeypatch: pytest.MonkeyPatch) -> None:
     # `validate_json.py` reads the actual builds.json. The repo as committed
     # must always be valid.
diff --git a/tests/unit/test_write_metadata.py b/tests/unit/test_write_metadata.py
index e692fb2..0207a20 100644
--- a/tests/unit/test_write_metadata.py
+++ b/tests/unit/test_write_metadata.py
@@ -26,6 +26,29 @@ def _common_args(out: Path) -> list[str]:
     ]
 
 
+def test_main_rejects_option_like_image(tmp_path: Path, capsys: pytest.CaptureFixture[str]) -> None:
+    out = tmp_path / "meta.json"
+    args = [
+        "--output",
+        str(out),
+        "--arch",
+        "amd64",
+        "--stellar-cli-version",
+        "26.0.0",
+        "--image=--privileged",  # would reach `docker buildx imagetools inspect` as a flag
+        "--rust-base-key",
+        "1.94.0-slim-trixie",
+        "--rust-version",
+        "1.94.0",
+        "--tag",
+        "26.0.0-rust1.94.0-slim-trixie-amd64",
+    ]
+    with pytest.raises(SystemExit):
+        write_metadata.main(args)
+    assert "must not begin with '-'" in capsys.readouterr().err
+    assert not out.exists()
+
+
 def test_main_writes_metadata_with_explicit_digest(tmp_path: Path) -> None:
     out = tmp_path / "meta.json"
     args = [*_common_args(out), "--digest", "sha256:" + "a" * 64]

From 2be85c45a2fbe34729d2ab459253ea131eeea792 Mon Sep 17 00:00:00 2001
From: Sagar Patil <sagar.patil@stellar.org>
Date: Tue, 9 Jun 2026 19:57:15 -0700
Subject: [PATCH 2/2] Assert equality instead of URL substring in
 reject_option_like test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CodeQL flagged the .startswith("docker.io") assertion as incomplete URL
substring sanitization. The guard returns the value verbatim, so assert
equality on the full string — clearer intent and no substring check.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 tests/unit/test_common.py | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/tests/unit/test_common.py b/tests/unit/test_common.py
index eb71cae..8e09cf0 100644
--- a/tests/unit/test_common.py
+++ b/tests/unit/test_common.py
@@ -89,11 +89,9 @@ def test_sha256_of_streams_large_files(tmp_path: Path) -> None:
 
 
 def test_reject_option_like_returns_safe_value() -> None:
-    ref = "rust:1.94.0-slim-trixie"
-    assert common.reject_option_like(ref, "image") == ref
-    assert common.reject_option_like("docker.io/stellar/stellar-cli:26.0.0", "image").startswith(
-        "docker.io"
-    )
+    # The guard returns the value unchanged when it's safe.
+    for ref in ("rust:1.94.0-slim-trixie", "docker.io/stellar/stellar-cli:26.0.0"):
+        assert common.reject_option_like(ref, "image") == ref
 
 
 @pytest.mark.parametrize(