)]}'
{
  "commit": "fa828f428c661607ffb47e4cc7e980e8b4284733",
  "tree": "142894f3fe1fdda32fa372990432d10663c20560",
  "parents": [
    "ad2f5f0ecd0f44524bb651b3ff603d0f29708d7a"
  ],
  "author": {
    "name": "Xiang Ji",
    "email": "jxiang@google.com",
    "time": "Wed Mar 11 21:10:51 2026"
  },
  "committer": {
    "name": "Xiang Ji",
    "email": "jxiang@google.com",
    "time": "Thu Mar 12 17:07:09 2026"
  },
  "message": "Fix textproto injection vulnerability in host configuration generation\n\nValidate resource fields (ResourceName, ResourceImageSource,\nResourceImageProject, ResourceImageFamily) before interpolating them\ninto textproto templates via fmt.Sprintf. Without this, a malicious\nvalue containing \u0027, \\n, or } could break out of the single-quoted\nstring context in the template and inject arbitrary textproto\nstructure — including metadata items that cel_agent executes as\nshell commands on the lab VM.\n\nBug: 491338977\nChange-Id: If90678d9c18713d58b221f2270029f95bdecebc5\nReviewed-on: https://chromium-review.googlesource.com/c/enterprise/cel/+/7658722\nReviewed-by: Jonathan Lee \u003cjonathanjlee@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "1cd770ca1f0745ed96d6f792f9016dabc37cce6b",
      "old_mode": 33188,
      "old_path": "go/poros/fetch_configuration.go",
      "new_id": "b1e63b7f3583dc7c049ac0b027aaa8b495675722",
      "new_mode": 33188,
      "new_path": "go/poros/fetch_configuration.go"
    },
    {
      "type": "modify",
      "old_id": "3104ada2a316ccc21db11703ca57ad67cccac091",
      "old_mode": 33188,
      "old_path": "go/poros/fetch_configuration_test.go",
      "new_id": "a4124aad1a6228d9a430c0cb52f00a2ed8bda3fb",
      "new_mode": 33188,
      "new_path": "go/poros/fetch_configuration_test.go"
    }
  ]
}