GH#3603: fix critical quality-debt from PR #436 review feedback

[alex-solovyev]

Summary

Fixes the command injection vulnerability in wp-helper.sh identified by Gemini Code Assist in the PR #436 review.

Root Cause

PR #436 refactored build_ssh_command → execute_wp_via_ssh to eliminate eval, but the replacement code interpolated $wp_command directly into the SSH remote command string without quoting:

# VULNERABLE (before):
ssh ... "${ssh_user}@${ssh_host}" "cd $(printf %q "$wp_path") && wp $wp_command"

If $wp_command contained shell metacharacters (;, `, $(...), &&, ||, etc.), they would be interpreted by the remote shell — a command injection vulnerability.

Fix

Quote each word of $wp_command using printf '%q ' before embedding it in the remote command string:

# SAFE (after):
quoted_wp_command=$(printf '%q ' $wp_command)
ssh ... "${ssh_user}@${ssh_host}" "cd $(printf %q "$wp_path") && wp $quoted_wp_command"

The localwp case (direct local execution via subshell) is unaffected — it uses intentional word-splitting for direct wp invocation, not a shell-interpreted string.

Verification

• shellcheck -S error .agents/scripts/wp-helper.sh passes with no errors
• Normal WP-CLI commands (e.g. plugin list --format=json) are unaffected: printf '%q ' quotes them safely
• Malicious input (e.g. plugin list; rm -rf /) is neutralised: the semicolon becomes \; in the remote command

Closes #3603

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

Warning

Rate limit exceeded

@alex-solovyev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 27 minutes and 1 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b1d4a14a-ad40-4adb-8a69-3820f3244b0d

📥 Commits

Reviewing files that changed from the base of the PR and between ad2237e and e5c4263.

📒 Files selected for processing (1)

• .agents/scripts/wp-helper.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/GH-3603-wp-helper-command-injection

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 413 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 13 02:48:20 UTC 2026: Code review monitoring started
Fri Mar 13 02:48:20 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 413

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 413
• VULNERABILITIES: 0

Generated on: Fri Mar 13 02:48:23 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[marcusquinn]

Dispatching worker for failing CI remediation.

• Model: default alternating headless provider
• Branch: bugfix/quality-debt: PR #436 review feedback (critical) #3603-wp-helper-command-injection
• Scope: diagnose failing checks and implement smallest correct fix to make CI pass
• Attempt: 1 of 1
• Direction: preserve existing PR scope and keep issue linkage intact

[marcusquinn]

Dispatching worker for failing CI remediation.\n- Model: default alternating headless provider\n- Branch: bugfix/GH-3603-wp-helper-command-injection\n- Scope: diagnose failing checks and implement smallest correct fix to make CI pass\n- Attempt: 1 of 1\n- Direction: preserve existing PR scope and keep issue linkage intact

[marcusquinn]

Initial worker launch validation failed; re-dispatching immediately with explicit provider fallback.\n- Correction: relaunch using openai/gpt-5.3-codex\n- Reason: launch gate reported invalid startup for previous attempt

[alex-solovyev]

PR has merge conflicts (DIRTY) after sibling PRs merged. Dispatching worker to rebase.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: bugfix/quality-debt: PR #436 review feedback (critical) #3603-wp-helper-command-injection
• Scope: Rebase branch onto main, resolve conflicts, push
• Attempt: 1 of 1

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 412 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Fri Mar 13 07:05:28 UTC 2026: Code review monitoring started
Fri Mar 13 07:05:28 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 412

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 412
• VULNERABILITIES: 0

Generated on: Fri Mar 13 07:05:30 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud