Fix shell interpolation injection vulnerabilities

[thisisvaishnav]

Here's the complete PR body, ready to paste:

---

Description

Fixes a P0 security vulnerability where nine python3 -c invocations in dashboard/health-check.sh and dashboard/api-collector.sh interpolated shell environment variables directly into Python source code strings. If any variable value contained a single quote ('), it would break out of the Python string literal and enable arbitrary code execution.

Vulnerable pattern:

python3 -c "import json; wfs=json.loads('${HEALTH_CHECK_WORKFLOWS}'); print(len(wfs))"

Safe pattern (this fix):

echo "${HEALTH_CHECK_WORKFLOWS}" | python3 -c "import sys,json; wfs=json.loads(sys.stdin.read()); print(len(wfs))"

The variable is now passed through stdin so Python reads it as plain data it is never part of the executed code string.

---

Related Issue

Fixes #

Identified by Architect scan 2026-05-12 (commit f1f12aa7d).

---

Changes Made

• Replaced 7 vulnerable python3 -c "...${HEALTH_CHECK_WORKFLOWS}..." calls in dashboard/health-check.sh with stdin-pipe pattern
• Replaced 1 vulnerable python3 -c "...json.loads('${HEALTH_PERF_WORKFLOWS}')..." call in dashboard/health-check.sh with stdin-pipe pattern
• Replaced 1 vulnerable python3 -c call in dashboard/health-check.sh for ${HEALTH_DEPLOY_JOBS} with stdin-pipe pattern
• Replaced 2 vulnerable python3 -c calls in dashboard/api-collector.sh that interpolated file paths into Python code — switched to cat file | python3 -c "...json.load(sys.stdin)..."
• Verified all 9 sites patched (grep confirms zero remaining interpolated ${VAR} inside python3 -c strings)

---

Checklist

• I have reviewed the project's contribution guidelines.
• I have written unit tests for the changes (if applicable).
• I have updated the documentation (if applicable).
• I have tested the changes locally and ensured they work as expected.
• My code follows the project's coding standards.

---

Screenshots or Logs (if applicable)

Grep check zero vulnerable patterns remaining:

✅ PASS: zero vulnerable shell-interpolation patterns found

Single-quote smoke tests (all 4 variables):

HEALTH_CHECK_WORKFLOWS count: 2 (expected: 2) ✅ PASS
Extracted name: "O'Brien Suite"   ✅ PASS
HEALTH_PERF_WORKFLOWS items: ["O'Brien Perf", "it's fast"]  ✅ PASS
HEALTH_DEPLOY_JOBS count: 1 (expected: 1)   ✅ PASS

Canonical exploit payload test:

EXPLOIT='[{"name":"'"'"'); import os; os.system('"'"'echo PWNED'"'"')","key":"x"}]'
echo "$EXPLOIT" | python3 -c "import sys,json; wfs=json.loads(sys.stdin.read()); print(len(wfs))"
# Output: 1
✅ PASS: exploit payload is inert (treated as data, not code)

---

Additional Notes

• Severity: P0 arbitrary code execution if env vars contain crafted values with embedded quotes
• Defense-in-depth: While HEALTH_CHECK_WORKFLOWS, HEALTH_PERF_WORKFLOWS, and HEALTH_DEPLOY_JOBS are currently sourced from trusted config files, the stdin-pipe pattern eliminates the entire injection surface regardless of data origin
• No behavioral change: All scripts produce identical output for valid (quote-free) inputs this is a pure safety refactor

#427

[kubestellar-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign clubanderson for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

👋 Welcome to the KubeStellar community! 💖

Thanks and congrats 🎉 for opening your first PR here! We're excited to have you contributing.

Before merge, please ensure:

• ✅ DCO Sign-off — All commits signed with git commit -s (DCO)
• ✅ PR Title — Starts with an emoji: ✨ feature | 🐛 bug fix | 📖 docs | 🌱 infra/tests | ⚠️ breaking

📬 If you're using KubeStellar in your organization, please add your name to our Adopters list. 🙏 It really helps the project gain momentum and credibility — a small contribution back with a big impact.

Resources:

• 🖥️ KubeStellar Console — Try the live multi-cluster dashboard
• 📖 Console Docs — Installation, features, and architecture
• 🧩 Marketplace — Community extensions and cards
• 📚 Knowledge Base — Troubleshooting and how-tos
• 📖 Full Documentation | 🤝 Contributor Handbook | 💬 Slack

A maintainer will review your PR soon. Hope you have a great time here!

🌟 ~~~~~~~~~~ 🌟

📬 If you like KubeStellar, please ⭐ star ⭐ our repo to support it!

🙏 It really helps the project gain momentum and credibility — a small contribution back with a big impact.