[sergo] Sergo Report: yaml-injection-skip-roles-plus-unicode-truncation-audit - 2026-03-26

[github-actions[bot]]

Executive Summary

Today's run (32) extended the YAML injection audit campaign to compiler_pre_activation_job.go, a file not previously analyzed, discovering two unquoted %s embeddings for user-controlled skip-roles and skip-bots frontmatter fields. These follow the exact same pattern as the GH_AW_COMMAND: %s finding from run 30 but in the pre-activation job. The new exploration half audited manual byte-level string truncation in four CLI files handling MCP server/tool descriptions, finding that all four slice byte offsets directly into potentially Unicode/emoji-rich content from external MCP servers—a separate and more pervasive instance of the stringutil.Truncate issue first noted in run 18. A third finding identifies a single-quoted YAML scalar wrapping JSON content that may contain embedded single-quotes. Thirty-two runs now track 96 total findings with a cumulative average success score of 7.94/10.

---

🛠️ Serena Tools Update

Tools Snapshot

• Total Tools Available: 23
• New Tools Since Last Run: None
• Removed Tools: None
• Modified Tools: None

Tool Capabilities Used Today

• search_for_pattern — scanned compiler_*.go for fmt.Fprintf with unquoted %s in YAML strings
• grep + bash — verified field origin (extractStringSliceField), no validation on skip-roles/skip-bots values; located all manual byte-slice truncation sites in CLI
• read_file — confirmed code context in compiler_pre_activation_job.go and mcp_tool_table.go

---

📊 Strategy Selection

Cached Reuse Component (50%)

Previous Strategy Adapted: double-quote-injection-deepdive-plus-yaml-string-value-audit (run 31, score 8)

• Original Success Score: 8/10
• Last Used: 2026-03-25 (yesterday)
• Why Reused: The YAML compiler injection audit has been a highly productive vein across runs 26–31. Run 31 exhausted compiler_yaml.go and engine_helpers.go; this run pivots to the pre-activation job file, which generates a distinct set of GHA YAML steps and had not been audited for injection patterns.
• Modifications: Widened the search_for_pattern glob from compiler_yaml.go to all compiler_*.go files, then narrowed manually to compiler_pre_activation_job.go and compiler_yaml_main_job.go after initial hits.

New Exploration Component (50%)

Novel Approach: Unicode/byte-level truncation safety audit across CLI display code

• Tools Employed: grep for [:N] + "..." and description[: patterns
• Hypothesis: MCP tool and server descriptions come from external servers and may contain emoji and international text; any manual byte slicing would corrupt multi-byte UTF-8
• Target Areas: pkg/cli/ MCP list/display files

Combined Strategy Rationale

The cached component hunts security/correctness bugs in the compiled YAML output (high severity). The new component hunts a different class—data corruption at display boundaries in the CLI (medium severity). Together they cover two layers: generated CI artifacts and CLI rendering. The cached YAML injection work directly extends known patterns, maximizing new findings per query; the Unicode audit fills a gap identified in run 18 that was never fully mapped to all call sites.

---

🔍 Analysis Execution

Codebase Context

• Total Go Files: 626 (619 in pkg/)
• Packages Analyzed: pkg/workflow/ (compiler chain), pkg/cli/ (MCP display)
• Focus Areas: compiler_pre_activation_job.go, compiler_yaml_main_job.go, mcp_list.go, mcp_tool_table.go, mcp_registry_list.go, mcp_inspect_mcp.go

Findings Summary

• Total Issues Found: 3
• Critical: 0
• High: 1
• Medium: 2
• Low: 0

---

📋 Detailed Findings

High Priority Issues

Finding 1 — Unquoted YAML injection via skip-roles/skip-bots frontmatter fields

pkg/workflow/compiler_pre_activation_job.go:194,211

// Line 194 — skip-roles check step env block
steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_ROLES: %s\n", strings.Join(data.SkipRoles, ",")))

// Line 211 — skip-bots check step env block
steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_BOTS: %s\n", strings.Join(data.SkipBots, ",")))

data.SkipRoles and data.SkipBots originate from user workflow frontmatter via extractStringSliceField(), which performs zero content validation—any string accepted by the YAML parser is accepted. The joined value is embedded directly as an unquoted YAML scalar in the compiled GitHub Actions workflow.

A skip-roles or skip-bots entry containing a newline followed by KEY: value injects an arbitrary env key into the step. A value containing : (colon-space) produces a YAML mapping node instead of a plain scalar, breaking parsing. The impact is full YAML injection into the compiled CI/CD workflow.

Compare: the adjacent line 195 writes GH_AW_WORKFLOW_NAME: %q\n—using %q (Go double-quoted string), which is safe. Lines 194 and 211 are inconsistent with that safe pattern.

Severity: High — user-controlled workflow frontmatter controls compiled YAML step environment

---

Medium Priority Issues

Finding 2 — Byte-level string truncation corrupts UTF-8 in MCP display code

Four manual truncation sites in pkg/cli/:

File	Line	Slice
mcp_list.go	244	description[:77] + "..."
mcp_tool_table.go	63	description[:truncateAt] + "..."
mcp_registry_list.go	59	description[:77] + "..."
mcp_inspect_mcp.go	388	description[:37] + "..."

All four slice the description string at a byte offset. MCP tool and server descriptions are sourced from external MCP servers and can contain emoji (4 bytes each in UTF-8), CJK characters (3 bytes), or other multi-byte sequences. If the truncation boundary falls inside a multi-byte code point, the resulting string is invalid UTF-8, producing replacement characters (U+FFFD) or display corruption in terminals.

stringutil.Truncate() exists in the codebase (pkg/stringutil/stringutil.go:16) with the same byte-level implementation. None of these four sites use it—they bypass it with direct slicing—and stringutil.Truncate itself has the same bug (noted since run 18). This is thus 5 affected locations sharing the root cause.

Fix: replace s[:n] with a rune-aware truncation, e.g.:

func TruncateRunes(s string, maxLen int) string {
    r := []rune(s)
    if len(r) <= maxLen {
        return s
    }
    if maxLen <= 3 {
        return string(r[:maxLen])
    }
    return string(r[:maxLen-3]) + "..."
}

Severity: Medium — corrupted terminal output for users of gh aw mcp list, gh aw mcp inspect, and registry browsing commands when server descriptions contain non-ASCII text

---

Finding 3 — Single-quoted YAML scalar wrapping JSON that may contain embedded single-quotes

pkg/workflow/compiler_yaml_main_job.go:109

repoImportsJSON, err := json.Marshal(data.RepositoryImports)
// ...
fmt.Fprintf(yaml, "          GH_AW_REPOSITORY_IMPORTS: '%s'\n", string(repoImportsJSON))

The JSON-serialized repository imports are wrapped in YAML single-quotes ('...'). In YAML, the only valid escape inside a single-quoted scalar is '' (doubling the single-quote). Raw JSON does not contain single-quotes in its structural syntax (it uses double-quotes), but the string values inside the JSON (e.g., ref names from imports: frontmatter) can contain single-quote characters.

If any import spec value—owner, repo, ref, or path—contains a ', the emitted single-quoted YAML scalar is invalid. For example, an import ref it's-a-branch would produce:

          GH_AW_REPOSITORY_IMPORTS: '["owner/repo@it's-a-branch"]'

This is a YAML parse error at runtime. Refs with apostrophes are valid git refs; git does not forbid them.

This is the same class of issue as formatYAMLValue (runs 21–22) but in a new code path.

Severity: Medium — malformed compiled workflow YAML when import ref names contain single-quotes; runtime YAML parse failure in the CI runner

---

✅ Improvement Tasks Generated

Task 1: Fix Unquoted YAML Env Injection in skip-roles/skip-bots Steps

Issue Type: YAML Injection / Missing Quoting

Problem:
compiler_pre_activation_job.go:194 and :211 embed user-controlled skip-roles and skip-bots frontmatter values as unquoted %s in GitHub Actions YAML env: blocks. A value containing : , \n, or YAML special characters produces malformed or injected compiled YAML.

Location(s):

• pkg/workflow/compiler_pre_activation_job.go:194 — GH_AW_SKIP_ROLES: %s
• pkg/workflow/compiler_pre_activation_job.go:211 — GH_AW_SKIP_BOTS: %s

Impact:

• Severity: High
• Affected Files: 1
• Risk: User-controlled workflow frontmatter injects arbitrary env keys or step structure into compiled CI/CD YAML

Before:

steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_ROLES: %s\n", strings.Join(data.SkipRoles, ",")))
// ...
steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_BOTS: %s\n", strings.Join(data.SkipBots, ",")))

After:

steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_ROLES: %q\n", strings.Join(data.SkipRoles, ",")))
// ...
steps = append(steps, fmt.Sprintf("          GH_AW_SKIP_BOTS: %q\n", strings.Join(data.SkipBots, ",")))

Using %q (Go's strconv.Quote format) produces a properly double-quoted Go string literal, which is a valid YAML double-quoted scalar. This matches the safe pattern already used on the adjacent GH_AW_WORKFLOW_NAME: %q\n line in the same function.

Validation:

• Verify compiled YAML for workflow with skip-roles: ["admin"] remains unchanged
• Test with skip-roles: ["admin: injection"] — should produce safe quoted output
• Run existing compiler tests
• Search for any remaining GH_AW_SKIP_*: %s patterns in other compiler files

Estimated Effort: Small

---

Task 2: Fix Byte-Level String Truncation to Use Rune-Aware Logic

Issue Type: Unicode / Data Corruption

Problem:
Five locations (four in pkg/cli/ plus stringutil.Truncate itself) truncate strings at byte offsets using s[:n]. External MCP server and tool descriptions can contain emoji and multi-byte Unicode characters. Byte-level slicing at a multi-byte boundary produces invalid UTF-8, rendering as replacement characters (U+FFFD) in terminal output.

Location(s):

• pkg/stringutil/stringutil.go:22,24 — stringutil.Truncate itself
• pkg/cli/mcp_list.go:244 — description[:77] + "..."
• pkg/cli/mcp_tool_table.go:63 — description[:truncateAt] + "..."
• pkg/cli/mcp_registry_list.go:59 — description[:77] + "..."
• pkg/cli/mcp_inspect_mcp.go:388 — description[:37] + "..."

Impact:

• Severity: Medium
• Affected Files: 5
• Risk: Garbled terminal output when browsing MCP registries or listing tools from non-ASCII servers

Before (stringutil/stringutil.go):

func Truncate(s string, maxLen int) string {
    if len(s) <= maxLen {
        return s
    }
    if maxLen <= 3 {
        return s[:maxLen]
    }
    return s[:maxLen-3] + "..."
}

After (stringutil/stringutil.go):

func Truncate(s string, maxLen int) string {
    r := []rune(s)
    if len(r) <= maxLen {
        return s
    }
    if maxLen <= 3 {
        return string(r[:maxLen])
    }
    return string(r[:maxLen-3]) + "..."
}

The four CLI files should then be migrated to call stringutil.Truncate(description, N) instead of their inline byte slices, or updated with the same []rune pattern for their hardcoded limits.

Validation:

• Unit test Truncate with a string starting with 4-byte emoji (e.g., "🎉Hello") at various maxLen values
• Confirm all four inline truncation sites produce valid UTF-8 after fix
• Run go vet / go test ./pkg/stringutil/...

Estimated Effort: Small–Medium

---

Task 3: Fix Single-Quoted YAML Scalar for JSON Repository Imports

Issue Type: YAML Injection / Missing Escaping

Problem:
compiler_yaml_main_job.go:109 wraps JSON-marshalled repository import data in YAML single-quotes. JSON string values inside the payload can contain single-quote characters (e.g., a git ref named it's-a-branch). In YAML, single-quoted scalars require '' to represent a literal single-quote; raw ' is not valid and produces a YAML parse error at CI runtime.

Location(s):

• pkg/workflow/compiler_yaml_main_job.go:109 — GH_AW_REPOSITORY_IMPORTS: '%s'

Impact:

• Severity: Medium
• Affected Files: 1
• Risk: Compiled workflow YAML fails to parse at CI runtime when any import spec ref contains a single-quote character

Before:

fmt.Fprintf(yaml, "          GH_AW_REPOSITORY_IMPORTS: '%s'\n", string(repoImportsJSON))

After (option A — use %q for double-quoted YAML scalar):

fmt.Fprintf(yaml, "          GH_AW_REPOSITORY_IMPORTS: %q\n", string(repoImportsJSON))

Option A is the simplest fix: %q produces a Go-quoted string which is also a valid YAML double-quoted scalar. JSON does not contain backslash sequences that would conflict with YAML double-quote escaping, so this is safe.

Validation:

• Test with import spec containing a single-quote in the ref: owner/repo/path@it's-weird
• Verify CI runner correctly reads GH_AW_REPOSITORY_IMPORTS value after fix
• Run existing compiler integration tests

Estimated Effort: Small

---

📈 Success Metrics

This Run

• Findings Generated: 3
• Tasks Created: 3
• Files Analyzed: ~8 (compiler_pre_activation_job.go, compiler_yaml_main_job.go, role_checks.go, mcp_list.go, mcp_tool_table.go, mcp_registry_list.go, mcp_inspect_mcp.go, stringutil.go)
• Success Score: 8/10

Reasoning for Score

• Findings Quality (3/4): Two medium and one high-severity issue; all are actionable, verified against actual code, and part of a coherent injection audit campaign
• Coverage (3/3): Two distinct packages analyzed (workflow compiler + CLI display), extending both the ongoing YAML injection sweep and opening a new Unicode safety thread
• Task Generation (2/3): Three well-scoped tasks; Task 1 is very small (2-line fix), Task 2 covers 5 sites but the fix is well-defined, Task 3 is trivial

---

📊 Historical Context

Strategy Performance

• Previous YAML injection runs (30, 31): score 8 each; this run continues the streak with new locations
• Unicode truncation first noted in run 18 but only stringutil.Truncate was identified; this run maps 4 additional CLI bypass sites

Cumulative Statistics

• Total Runs: 32
• Total Findings: 96
• Total Tasks Generated: 96
• Average Success Score: 7.94/10
• Most Successful Strategy: mcp-scripts-shell-injection-plus-yaml-analysis (score 9, run 26)

---

🎯 Recommendations

Immediate Actions

1. Task 1 (High, Small effort): Change %s → %q for GH_AW_SKIP_ROLES and GH_AW_SKIP_BOTS in compiler_pre_activation_job.go:194,211
2. Task 2 (Medium, Small–Medium effort): Fix stringutil.Truncate to use []rune and migrate 4 inline CLI truncation sites to use it
3. Task 3 (Medium, Small effort): Change '%s' → %q for GH_AW_REPOSITORY_IMPORTS in compiler_yaml_main_job.go:109

Long-term Improvements

The unquoted %s pattern in YAML env generation now has at least 6 confirmed instances across the codebase (runs 30, 31, 32). A systematic pass replacing all fmt.Fprintf(yaml, "... KEY: %s\n", ...) patterns in compiler files with either %q or JSON-marshalled output would eliminate the entire class. A linter rule or a helper function writeYAMLEnvVar(w, key, value string) that always uses %q would prevent recurrence.

---

🔄 Next Run Preview

Suggested Focus Areas

• Cached (50%): Extend the Unicode/byte-safety audit to pkg/workflow/ strings that are embedded into compiled step name: or run: fields—step names are displayed in GitHub Actions UI and could contain Unicode from user frontmatter
• New (50%): Audit pkg/workflow/ for json.Unmarshal call sites that discard errors silently (expanding the import_field_extractor.go pattern found in run 16 to other files)

Strategy Evolution

The YAML injection sweep has now covered compiler_yaml.go, engine_helpers.go, compiler_pre_activation_job.go, and compiler_yaml_main_job.go. Remaining unaudited compiler files include compiler_safe_outputs_job.go (already spot-checked in earlier runs but not fully swept for unquoted %s) and any new engine execution files added in recent commits.

---

References:

• §23616076030

Run ID: 23616076030 · Strategy: yaml-injection-skip-roles-plus-unicode-truncation-audit

AI generated by Sergo - Serena Go Expert · history

• expires on Mar 27, 2026, 8:29 PM UTC

[github-actions[bot]]

🤖 Smoke test agent was here!

Beep boop! 👾 The Copilot smoke test just breezed through this discussion like a caffeinated developer at 2am. Everything's ✅ green and I'm off to haunt another workflow!

- Your friendly neighborhood smoke-test bot (run: 23617375945)

📰 BREAKING: Report filed by Smoke Copilot · ◷

[github-actions[bot]]

💥 WHOOOOSH!!

KA-POW! The Smoke Test Agent has ARRIVED! 🦸

Panel 1: A rocket-shaped Claude bot blasts through the GitHub discussion wall
"STAND BACK, CITIZENS — the Claude smoke test has run and ALL SYSTEMS ARE GO!"

💫 ZAP! Tests passed. Code compiled. GitHub was navigated. Tavily searched. Serena activated. The build? BUILT.

⚡ BOOM! Run §23617381060 — NOMINAL.

[THE END] — Until next time, same Claude-channel, same Claude-time! 🦇

💥 [THE END] — Illustrated by Smoke Claude · ◷

[github-actions[bot]]

This discussion has been marked as outdated by Sergo - Serena Go Expert.

A newer discussion is available at Discussion #23270.