From PR #66 review (GLM 5.1, finding #3):
seed-demo-data.sh interpolates $BASE_URL directly into a Python string,
which could break or allow code injection if the URL contains quotes.
Fix: pass via environment variable instead:
BASE_URL="$BASE_URL" python3 -c "import os; url = os.environ['BASE_URL'] + '/documents'"
Low risk — the script is developer-only tooling, not user-facing.
From PR #66 review (GLM 5.1, finding #3):
seed-demo-data.shinterpolates$BASE_URLdirectly into a Python string,which could break or allow code injection if the URL contains quotes.
Fix: pass via environment variable instead:
Low risk — the script is developer-only tooling, not user-facing.