Opus finding
feed.sh injects $LIMIT into jq filter via shell concatenation — non-numeric LIMIT can break or inject
lowsecuritymedium
- bankr-signals/scripts/feed.sh:44-47
$LIMIT is interpolated into the jq program text without validation. A user passing `--limit '10] | .[0]'` or similar can alter jq behavior; passing a non-integer (e.g. `abc`) produces a jq syntax error. Use `--argjson limit` instead.
Recommendation
Use `jq -s --argjson limit "$LIMIT" 'add | sort_by(-.post_timestamp) | .[0:$limit]'` and validate LIMIT is an integer at argparse time.