Apply review feedback: trap cleanup, comment fix, sed escaping

Agent-Logs-Url: https://github.com/advanced-security/codeql-sap-js/sessions/c323e856-3961-4705-b0bd-20893445994c

Co-authored-by: data-douser <70299490+data-douser@users.noreply.github.com>

Author: Copilot

javascript/frameworks/ui5/test/qlpack.yml

@@ -4,8 +4,8 @@ extractor: javascript
 dependencies:
   codeql/javascript-all: "2.6.26"
   # We use this dependency to run the standard Log Injection query to ensure that
-  # no overlap occurs with the SAP UI5 queries. We therefore allow any version
-  # greater than or equal to 1.2.0, as major breaking changes are not a concern.
+  # no overlap occurs with the SAP UI5 queries. We pin this dependency to a
+  # specific version to ensure consistent and reproducible test results.
   codeql/javascript-queries: "2.3.6"
   advanced-security/javascript-sap-ui5-queries: "2.25.1"
   advanced-security/javascript-sap-ui5-models: "2.25.1"

scripts/upgrade-packs.sh

@@ -127,6 +127,8 @@ pin_upstream_deps() {
     if [[ -z "${resolved_version}" ]]; then
       local tmp_dir
       tmp_dir=$(mktemp -d)
+      ## Ensure the temp dir is removed on early exit (e.g. codeql pack upgrade failure)
+      trap 'rm -rf "${tmp_dir}"' RETURN
       local extractor
       extractor=$(grep -m1 "^extractor:" "${qlpack_yml}" | awk '{print $2}' || echo "javascript")
       cat > "${tmp_dir}/qlpack.yml" <<TMPEOF
@@ -142,6 +144,7 @@ TMPEOF
           | sed 's/.*version:[[:space:]]*//' | head -1)
       fi
       rm -rf "${tmp_dir}"
+      trap - RETURN
     fi
 
     if [[ -z "${resolved_version}" ]]; then
@@ -160,9 +163,13 @@ TMPEOF
     ## Replace in file — try both unquoted-key and quoted-key forms
     ## Form 1: codeql/dep-name: "X.Y.Z"
     ## Form 2: "codeql/dep-name": "X.Y.Z"
-    sed -i.bak "s|${dep_name}: ${dep_old_value}|${dep_name}: ${new_value}|" "${qlpack_yml}"
+    ## Escape values for safe use in sed search patterns
+    local sed_dep_name sed_dep_old_value
+    sed_dep_name=$(printf '%s\n' "${dep_name}" | sed 's/[][.^$*+?{}()|\/]/\\&/g')
+    sed_dep_old_value=$(printf '%s\n' "${dep_old_value}" | sed 's/[][.^$*+?{}()|\/]/\\&/g')
+    sed -i.bak "s|${sed_dep_name}: ${sed_dep_old_value}|${dep_name}: ${new_value}|" "${qlpack_yml}"
     rm -f "${qlpack_yml}.bak"
-    sed -i.bak "s|\"${dep_name}\": ${dep_old_value}|\"${dep_name}\": ${new_value}|" "${qlpack_yml}"
+    sed -i.bak "s|\"${sed_dep_name}\": ${sed_dep_old_value}|\"${dep_name}\": ${new_value}|" "${qlpack_yml}"
     rm -f "${qlpack_yml}.bak"
     echo "  ✅ ${dep_name}: ${dep_old_value} -> ${new_value}"
   done <<< "${dep_lines}"