🔐 MEDIUM: Shell Injection Vulnerability in Statusline Installer Exposes Node.js Code Execution Risk

A shell injection vulnerability has been identified in the installer for the Statusline project, where unsanitized user input could allow for arbitrary code execution. The flaw is located in the `install.sh` script, specifically lines 142-162, where user-controlled input from the `variant_choice` variable flows directly into a `node -e` command. This creates a direct path for potential command injection, bypassing intended security controls.

The vulnerability stems from the construction of a local command string (`cmd`) that incorporates user-provided `flags`. This string is then passed as an argument to a Node.js evaluation command. While a surrounding case statement currently limits the possible values for `variant_choice`, this is described as a "fragile defense-in-depth" measure. The core issue is that the `flags` variable is not validated or sanitized before being interpolated into the shell command, creating a classic injection vector.

The impact is rated as MEDIUM severity. If an attacker were to bypass the initial case statement controls, they could potentially inject and execute arbitrary Node.js code on the target system during the installation process. The recommendation is to implement strict input validation on the `flags` variable before use, or to redesign the approach to avoid passing user input directly into a `node -e` evaluation context altogether, such as by using `JSON.stringify()` for safe data serialization.