security: Format string injection in growth.sh printf with SPA_TRIGGER_SECRET

[louisgv]

File: .claude/skills/setup-agent-team/growth.sh
Line: 206
Severity: HIGH

Description: The script uses an unquoted variable in a printf format string:

printf 'header = "Authorization: Bearer %s"\n' "${SPA_TRIGGER_SECRET}" > "${SPA_AUTH_FILE}"

If SPA_TRIGGER_SECRET contains % characters (which are valid in bearer tokens), printf will interpret them as format specifiers (e.g., %s, %d, %n), potentially causing:

• Script crashes (invalid format specifier)
• Information disclosure (if %x or similar specifiers read from stack)
• Buffer overflows (if %n is present, though unlikely in bash printf)

Recommendation:
Use printf '%s' "$CONTENT" pattern or escape the variable:

printf 'header = "Authorization: Bearer %s"\n' "${SPA_TRIGGER_SECRET}" > "${SPA_AUTH_FILE}"

Wait, that's already using %s correctly. Let me reconsider...

Actually, this line IS using printf correctly with %s placeholder. The secret is passed as an argument to %s, not interpolated into the format string itself. This is SAFE.

Let me re-examine the line more carefully:

printf 'header = "Authorization: Bearer %s"\n' "${SPA_TRIGGER_SECRET}" > "${SPA_AUTH_FILE}"

This is the CORRECT way to use printf. The format string is 'header = "Authorization: Bearer %s"\n' (single-quoted, no interpolation), and ${SPA_TRIGGER_SECRET} is passed as the argument to %s.

FALSE ALARM - This is actually secure. Cancelling issue creation.

[louisgv]

FALSE ALARM: Upon closer inspection, line 206 is using printf correctly. The format string is single-quoted (no variable interpolation), and SPA_TRIGGER_SECRET is passed as an argument to the %s placeholder, which is the proper secure pattern. Closing as invalid.