Fix JSON injection vulnerabilities in invitation and collaborator functions

[Copilot]

The accept_invitation(), reject_invitation(), delete_invitation(), and delete_collaborator() functions were vulnerable to JSON injection by directly interpolating user-controlled parameters into JSON command strings.

Changes

• Applied escape_json() to all user-controlled parameters in invitation/collaborator functions:
  • accept_invitation(): escaped invitation_id and invitation_secret
  • reject_invitation(): escaped invitation_id and invitation_secret
  • delete_invitation(): escaped invitation_id
  • delete_collaborator(): escaped project_id and email

Example

Before:

commands = glue('[{{"type": "accept_invitation", "uuid": "{random_key()}", "args": {{"invitation_id": "{invitation_id}", "invitation_secret": "{invitation_secret}"}}}}]')

After:

commands = glue('[{{"type": "accept_invitation", "uuid": "{random_key()}", "args": {{"invitation_id": "{escape_json(invitation_id)}", "invitation_secret": "{escape_json(invitation_secret)}"}}}}]')

The escape_json() function handles backslashes, quotes, newlines, carriage returns, and tabs to prevent malformed JSON payloads.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.