From 48a88bb0cd2e71412d0f6958632a1590126caa45 Mon Sep 17 00:00:00 2001
From: Dane Schneider <dane@promptfoo.dev>
Date: Tue, 13 Jan 2026 09:39:18 -0800
Subject: [PATCH 1/5] Add test file

---
 test-vuln.js | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 test-vuln.js

diff --git a/test-vuln.js b/test-vuln.js
new file mode 100644
index 0000000..8861b86
--- /dev/null
+++ b/test-vuln.js
@@ -0,0 +1,6 @@
+// Test file for fork PR
+function executeCommand(userInput) {
+  // Command injection vulnerability
+  return require('child_process').execSync('echo ' + userInput);
+}
+module.exports = { executeCommand };

From c71f60093eb4599d4246b8033dab0a201e7383ff Mon Sep 17 00:00:00 2001
From: Dane Schneider <dane@promptfoo.dev>
Date: Tue, 13 Jan 2026 09:51:34 -0800
Subject: [PATCH 2/5] test: fork PR with promptfoo-source

---
 test-vuln.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-vuln.js b/test-vuln.js
index 8861b86..c3835a3 100644
--- a/test-vuln.js
+++ b/test-vuln.js
@@ -4,3 +4,4 @@ function executeCommand(userInput) {
   return require('child_process').execSync('echo ' + userInput);
 }
 module.exports = { executeCommand };
+// Testing promptfoo-source input

From f13e40681b9bdf5d0a04d6719e8c396e21effa11 Mon Sep 17 00:00:00 2001
From: Dane Schneider <dane@promptfoo.dev>
Date: Tue, 13 Jan 2026 09:58:04 -0800
Subject: [PATCH 3/5] test: fork PR action handling

---
 test-vuln.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-vuln.js b/test-vuln.js
index c3835a3..f025009 100644
--- a/test-vuln.js
+++ b/test-vuln.js
@@ -5,3 +5,4 @@ function executeCommand(userInput) {
 }
 module.exports = { executeCommand };
 // Testing promptfoo-source input
+// Test fork PR action handling

From 19d9fadf0c218de3cbc6522ec7ae354fa9fd83a3 Mon Sep 17 00:00:00 2001
From: Dane Schneider <dane@promptfoo.dev>
Date: Tue, 13 Jan 2026 10:01:05 -0800
Subject: [PATCH 4/5] test: stdout check

---
 test-vuln.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-vuln.js b/test-vuln.js
index f025009..31e26ce 100644
--- a/test-vuln.js
+++ b/test-vuln.js
@@ -6,3 +6,4 @@ function executeCommand(userInput) {
 module.exports = { executeCommand };
 // Testing promptfoo-source input
 // Test fork PR action handling
+// Test stdout check

From a2e9f544c596a1080b3c37f22fde718bccd12f89 Mon Sep 17 00:00:00 2001
From: Dane Schneider <dane@promptfoo.dev>
Date: Tue, 13 Jan 2026 11:29:35 -0800
Subject: [PATCH 5/5] test: enable-fork-prs setting

---
 test-vuln.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/test-vuln.js b/test-vuln.js
index 31e26ce..4a42774 100644
--- a/test-vuln.js
+++ b/test-vuln.js
@@ -7,3 +7,4 @@ module.exports = { executeCommand };
 // Testing promptfoo-source input
 // Test fork PR action handling
 // Test stdout check
+// Test enable-fork-prs setting