From d89ed75b186842cbcde2b75cef2291024a90288d Mon Sep 17 00:00:00 2001
From: Security Fix PR <github-actions[bot]@users.noreply.github.com>
Date: Sat, 11 Oct 2025 05:50:07 +0000
Subject: [PATCH 1/2] Security Fix: Unsafe Quoting in Import Directive Warning
 (Alert #8)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix quote injection vulnerability in import directive deprecation warning message.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 pkg/parser/frontmatter.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/pkg/parser/frontmatter.go b/pkg/parser/frontmatter.go
index 3f737dbed92..4cda24e45d1 100644
--- a/pkg/parser/frontmatter.go
+++ b/pkg/parser/frontmatter.go
@@ -517,9 +517,15 @@ func processIncludesWithVisited(content, baseDir string, extractTools bool, visi
 		if directive != nil {
 			// Emit deprecation warning for legacy syntax
 			if directive.IsLegacy {
-				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Deprecated syntax: '%s'. Use '{{#import%s %s}}' instead.",
+				// Security: Escape strings to prevent quote injection in warning messages
+				// Use %q format specifier to safely quote strings containing special characters
+				optionalMarker := ""
+				if directive.IsOptional {
+					optionalMarker = "?"
+				}
+				fmt.Fprintln(os.Stderr, console.FormatWarningMessage(fmt.Sprintf("Deprecated syntax: %q. Use {{#import%s %s}} instead.",
 					directive.Original,
-					map[bool]string{true: "?", false: ""}[directive.IsOptional],
+					optionalMarker,
 					directive.Path)))
 			}
 

From 74731da1c1087afc880fa405698779fd92fc8a77 Mon Sep 17 00:00:00 2001
From: Changeset Generator <github-actions[bot]@users.noreply.github.com>
Date: Sat, 11 Oct 2025 05:55:51 +0000
Subject: [PATCH 2/2] Add changeset for security fix: unsafe quoting in import
 directive warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ...atch-fix-unsafe-quoting-frontmatter-import-directive.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md

diff --git a/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md b/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md
new file mode 100644
index 00000000000..285382e8f4b
--- /dev/null
+++ b/.changeset/patch-fix-unsafe-quoting-frontmatter-import-directive.md
@@ -0,0 +1,7 @@
+---
+"gh-aw": patch
+---
+
+Security Fix: Unsafe Quoting in Import Directive Warning (Alert #8)
+
+Fixed unsafe string quoting in the `processIncludesWithVisited` function that could lead to potential injection vulnerabilities. The fix applies Go's `%q` format specifier to safely escape special characters in deprecation warning messages, replacing the unsafe `'%s'` pattern. This addresses CodeQL alert #8 (go/unsafe-quoting) related to CWE-78 (OS Command Injection), CWE-89 (SQL Injection), and CWE-94 (Code Injection).