Bug: Deploy scripts have unquoted shell variables in inline Python — injection risk

[gboigwe]

Description

In scripts/deploy.sh (lines 121-128), shell variables are interpolated inside a Python inline script without proper escaping:

python3 -c "
import json
with open('$DEPLOY_FILE') as f:
    d = json.load(f)
d['contracts']['$NAME'] = '$CONTRACT_ID'
with open('$DEPLOY_FILE', 'w') as f:
    json.dump(d, f, indent=2)
"

Similarly in scripts/initialize.sh (line 95):

python3 -c "import json; d=json.load(open('$DEPLOY_FILE')); print(d['contracts'].get('$1',''))" 2>/dev/null

Problem

If $NAME, $CONTRACT_ID, or $DEPLOY_FILE contain:

• Single quotes (') — breaks the Python string literals
• Semicolons or newlines — enables arbitrary Python code execution
• Shell metacharacters — could be exploited if these scripts run with untrusted input

While these scripts are typically run by developers, if contract IDs or names from external sources are passed, this becomes a code injection vector.

Impact

• Script crashes if any variable contains single quotes or special characters
• Potential for arbitrary code execution if variables are attacker-controlled
• Deployment records could be corrupted

Suggested Fix

Use a heredoc with proper escaping, or pass variables as arguments to a Python script:

python3 - "$DEPLOY_FILE" "$NAME" "$CONTRACT_ID" << 'PYEOF'
import json, sys
deploy_file, name, contract_id = sys.argv[1], sys.argv[2], sys.argv[3]
with open(deploy_file) as f:
    d = json.load(f)
d['contracts'][name] = contract_id
with open(deploy_file, 'w') as f:
    json.dump(d, f, indent=2)
PYEOF

Files Affected

• scripts/deploy.sh — Lines 121-128
• scripts/initialize.sh — Line 95