From d100cf6b1cd37cb8323bd2e1d7210090a38bae34 Mon Sep 17 00:00:00 2001
From: Alex Lokshin <alokshin@chanzuckerberg.com>
Date: Wed, 29 Jan 2025 14:36:15 -0500
Subject: [PATCH] fix: Fix unsafe quotation

Addresses a critical alert https://github.com/chanzuckerberg/happy/security/code-scanning/2
---
 shared/stack/stack.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/shared/stack/stack.go b/shared/stack/stack.go
index 998029b13c..ea154b78f0 100644
--- a/shared/stack/stack.go
+++ b/shared/stack/stack.go
@@ -238,7 +238,10 @@ func (s *Stack) applyFromPath(ctx context.Context, srcDir string, waitOptions op
 			return errors.Wrap(err, "could not marshal json")
 		}
 		if _, ok := module.Variables["happymeta_"]; ok {
-			tfArgs = append(tfArgs, fmt.Sprintf("-var=happymeta_='%s'", string(metaTags)))
+			tag := string(metaTags)
+			tag = strings.ReplaceAll(tag, `\`, `\\`)
+			tag = strings.ReplaceAll(tag, "'", "\\'")
+			tfArgs = append(tfArgs, fmt.Sprintf("-var=happymeta_='%s'", tag))
 		}
 
 		// Run 'terraform plan' or 'terraform apply'