fix(security): use jq for safe JSON output in example hooks by sjnims · Pull Request #149 · sjnims/plugin-dev
Example hook scripts were using shell string concatenation to embed
variables in JSON output, which could cause malformed JSON if the
variable contained special characters like quotes or backslashes.
Changed:
- validate-write.sh: Use jq --arg for file_path in error messages
- read-settings-hook.sh: Use jq --arg for MAX_SIZE in error message
Before:
echo '{"systemMessage": "Path: '"$file_path"'"}' >&2
After:
jq -n --arg path "$file_path" \
'{"systemMessage": "Path: \($path)"}' >&2
This ensures proper JSON escaping regardless of the variable content.
sjnims
deleted the
claude/fix-json-safety-01Xd1gK15GA3QQb2XUZCXZAb
branch
sjnims added a commit that referenced this pull request
Dec 13, 2025
## Summary Prepare release v0.2.1 with security hardening, bug fixes, and documentation improvements. ## Changes ### Security - Harden validation scripts against bypass attacks (#164) - Prevent command injection in test-hook.sh (#148) - Use jq for safe JSON output in example hooks (#149) - Document security scope and trust model (#165) ### Fixed - Remove deprecated mode parameter from claude-pr-review workflow (#171) - Resolve shellcheck SC1087 errors in validate-hook-schema.sh (#168) - Replace unofficial `cc` alias with official `claude` CLI command - Issue/PR template improvements and labels configuration fixes ### Documentation - Comprehensive documentation improvements across README, CLAUDE.md, and skills - Added prerequisites section, shellcheck guidance, secure mktemp patterns ### Dependencies - Updated anthropics/claude-code-action and EndBug/label-sync - Updated GitHub Actions to latest versions ## Checklist - [x] Version updated in plugin.json (0.2.1) - [x] Version updated in marketplace.json (metadata.version AND plugins[0].version) - [x] Version updated in CLAUDE.md - [x] CHANGELOG.md updated with release notes - [x] Markdownlint passes - [x] Version consistency verified 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters