From cd6a8185c6d36d96bb78ddf77a904e514ccc5366 Mon Sep 17 00:00:00 2001
From: Martin Wimpress <martin@wimpress.org>
Date: Thu, 25 Jul 2024 01:33:59 +0100
Subject: [PATCH] fix: avoid injection of substitution commands when parsing
 yaml

---
 stream-sprout | 1 +
 1 file changed, 1 insertion(+)

diff --git a/stream-sprout b/stream-sprout
index 4a89653..e02a85c 100755
--- a/stream-sprout
+++ b/stream-sprout
@@ -46,6 +46,7 @@ function parse_yaml() {
    w='[a-zA-Z0-9_]*'
    fs=$'\034'
    sed -ne "s|^\(${s}\):|\1|" \
+        -e 's|`||g;s|\$||g;' \
         -e "s|^\(${s}\)\(${w}\)${s}:${s}[\"']\(.*\)[\"']$s\$|\1${fs}\2${fs}\3|p" \
         -e "s|^\(${s}\)\(${w}\)${s}:${s}\(.*\)${s}\$|\1${fs}\2${fs}\3|p" "${1}" |
    awk -F"${fs}" '{