Fix JSON escaping in MCP string-map section rendering

Copilot · pelikhan · web-flow · commit f210dc2ccff5 · 2026-06-23T18:59:20.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/workflow/copilot_engine_test.go b/pkg/workflow/copilot_engine_test.go
@@ -1457,7 +1457,7 @@ func TestCopilotEngineRenderGitHubMCPConfig(t *testing.T) {
 				`"type": "stdio",`,
 				`"container": "ghcr.io/github/github-mcp-server:` + string(constants.DefaultGitHubMCPServerVersion) + `"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
 				`},`,
 			},
 		},
@@ -1472,7 +1472,7 @@ func TestCopilotEngineRenderGitHubMCPConfig(t *testing.T) {
 				`"type": "stdio",`,
 				`"container": "ghcr.io/github/github-mcp-server:v1.2.3"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
 				`}`,
 			},
 		},
diff --git a/pkg/workflow/copilot_github_mcp_test.go b/pkg/workflow/copilot_github_mcp_test.go
@@ -29,7 +29,7 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"type": "stdio"`,
 				`"container": "ghcr.io/github/github-mcp-server:` + string(constants.DefaultGitHubMCPServerVersion) + `"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
 			},
 			unexpectedContent: []string{},
 		},
diff --git a/pkg/workflow/engine_helpers_github_test.go b/pkg/workflow/engine_helpers_github_test.go
@@ -54,8 +54,8 @@ func TestRenderGitHubMCPDockerConfig(t *testing.T) {
 				`"type": "stdio"`,
 				`"container": "ghcr.io/github/github-mcp-server:latest"`,
 				`"env": {`,
-				`"GITHUB_HOST": "\${GITHUB_SERVER_URL}"`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_HOST": "\\${GITHUB_SERVER_URL}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
 				`"GITHUB_TOOLSETS": "default"`,
 			},
 			notFound: []string{
diff --git a/pkg/workflow/github_remote_config_test.go b/pkg/workflow/github_remote_config_test.go
@@ -74,14 +74,14 @@ func TestRenderGitHubMCPRemoteConfig(t *testing.T) {
 				`"type": "http"`,
 				`"url": "https://api.githubcopilot.com/mcp/"`,
 				`"headers": {`,
-				`"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
+				`"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
 				`"X-MCP-Toolsets": "default"`,
 				`"tools": [`,
 				`"list_issues"`,
 				`"create_issue"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
-				`"GITHUB_HOST": "\${GITHUB_SERVER_URL}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_HOST": "\\${GITHUB_SERVER_URL}"`,
 			},
 			notExpected: []string{
 				`"X-MCP-Readonly"`,
@@ -101,11 +101,11 @@ func TestRenderGitHubMCPRemoteConfig(t *testing.T) {
 				`"type": "http"`,
 				`"url": "https://api.githubcopilot.com/mcp/"`,
 				`"headers": {`,
-				`"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
+				`"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
 				`"X-MCP-Toolsets": "all"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
-				`"GITHUB_HOST": "\${GITHUB_SERVER_URL}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_HOST": "\\${GITHUB_SERVER_URL}"`,
 			},
 			notExpected: []string{
 				`"X-MCP-Readonly"`,
@@ -125,15 +125,15 @@ func TestRenderGitHubMCPRemoteConfig(t *testing.T) {
 				`"type": "http"`,
 				`"url": "https://api.githubcopilot.com/mcp/"`,
 				`"headers": {`,
-				`"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
+				`"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`,
 				`"X-MCP-Readonly": "true"`,
 				`"X-MCP-Toolsets": "repos"`,
 				`"tools": [`,
 				`"list_repositories"`,
 				`"get_repository"`,
 				`"env": {`,
-				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
-				`"GITHUB_HOST": "\${GITHUB_SERVER_URL}"`,
+				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`,
+				`"GITHUB_HOST": "\\${GITHUB_SERVER_URL}"`,
 			},
 			notExpected: []string{},
 		},
diff --git a/pkg/workflow/github_remote_mode_test.go b/pkg/workflow/github_remote_mode_test.go
@@ -255,10 +255,10 @@ This is a test workflow for GitHub remote mode configuration.
 					}
 					// For Copilot engine, check for new ${} syntax
 					if tt.engineType == "copilot" {
-						if !strings.Contains(lockContent, `"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
+						if !strings.Contains(lockContent, `"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
 							t.Errorf("Expected Authorization header with ${GITHUB_PERSONAL_ACCESS_TOKEN} syntax but didn't find it in:\n%s", lockContent)
 						}
-						if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`) {
+						if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`) {
 							t.Errorf("Expected env section with GITHUB_PERSONAL_ACCESS_TOKEN passthrough but didn't find it in:\n%s", lockContent)
 						}
 					} else {
@@ -455,12 +455,12 @@ This tests that GITHUB_PERSONAL_ACCESS_TOKEN is exported and passed to Docker.
 	}
 
 	// Check that the MCP config still uses the ${} syntax
-	if !strings.Contains(lockContent, `"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
+	if !strings.Contains(lockContent, `"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
 		t.Errorf("Expected Authorization header with ${GITHUB_PERSONAL_ACCESS_TOKEN} syntax but didn't find it in lock file")
 	}
 
 	// Check that the env section still defines the variable
-	if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`) {
+	if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`) {
 		t.Errorf("Expected env section with GITHUB_PERSONAL_ACCESS_TOKEN but didn't find it in lock file")
 	}
 }
diff --git a/pkg/workflow/mcp_http_headers_test.go b/pkg/workflow/mcp_http_headers_test.go
@@ -211,9 +211,9 @@ func TestRenderSharedMCPConfig_HTTPWithHeaderSecrets(t *testing.T) {
 	// Check that headers use env var references instead of secret expressions
 	expectedHeaderChecks := []string{
 		`"headers": {`,
-		`"DD_API_KEY": "\${DD_API_KEY}"`,
-		`"DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}"`,
-		`"DD_SITE": "\${DD_SITE}"`,
+		`"DD_API_KEY": "\\${DD_API_KEY}"`,
+		`"DD_APPLICATION_KEY": "\\${DD_APPLICATION_KEY}"`,
+		`"DD_SITE": "\\${DD_SITE}"`,
 	}
 
 	for _, expected := range expectedHeaderChecks {
@@ -225,9 +225,9 @@ func TestRenderSharedMCPConfig_HTTPWithHeaderSecrets(t *testing.T) {
 	// Check that env passthrough section is present
 	expectedEnvChecks := []string{
 		`"env": {`,
-		`"DD_API_KEY": "\${DD_API_KEY}"`,
-		`"DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}"`,
-		`"DD_SITE": "\${DD_SITE}"`,
+		`"DD_API_KEY": "\\${DD_API_KEY}"`,
+		`"DD_APPLICATION_KEY": "\\${DD_APPLICATION_KEY}"`,
+		`"DD_SITE": "\\${DD_SITE}"`,
 	}
 
 	for _, expected := range expectedEnvChecks {
diff --git a/pkg/workflow/mcp_renderer_section_helpers.go b/pkg/workflow/mcp_renderer_section_helpers.go
@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"encoding/json"
 	"fmt"
 	"strings"
 )
@@ -11,7 +12,9 @@ func writeJSONStringMapEntries(yaml *strings.Builder, values map[string]string,
 		if i == len(values)-1 {
 			comma = ""
 		}
-		fmt.Fprintf(yaml, "%s\"%s\": \"%s\"%s\n", indent, key, values[key], comma)
+		encodedKey, _ := json.Marshal(key)           //nolint:jsonmarshalignorederror // marshaling a string cannot fail
+		encodedValue, _ := json.Marshal(values[key]) //nolint:jsonmarshalignorederror // marshaling a string cannot fail
+		fmt.Fprintf(yaml, "%s%s: %s%s\n", indent, encodedKey, encodedValue, comma)
 	}
 }
 
diff --git a/pkg/workflow/mcp_renderer_section_helpers_test.go b/pkg/workflow/mcp_renderer_section_helpers_test.go
@@ -3,6 +3,7 @@
 package workflow
 
 import (
+	"encoding/json"
 	"strings"
 	"testing"
 )
@@ -25,6 +26,22 @@ func TestWriteJSONStringMapSection(t *testing.T) {
 	}
 }
 
+func TestWriteJSONStringMapSectionEscapesKeysAndValues(t *testing.T) {
+	var output strings.Builder
+
+	writeJSONStringMapSection(&output, "  ", "env", map[string]string{
+		`A"key`: "line1\nline2\\end",
+	}, false)
+
+	var parsed map[string]map[string]string
+	if err := json.Unmarshal([]byte("{\n"+output.String()+"}"), &parsed); err != nil {
+		t.Fatalf("expected valid JSON section, got error: %v\noutput:\n%s", err, output.String())
+	}
+	if parsed["env"][`A"key`] != "line1\nline2\\end" {
+		t.Fatalf("unexpected parsed value: %#v", parsed["env"])
+	}
+}
+
 func TestWriteTOMLInlineStringMapSection(t *testing.T) {
 	var output strings.Builder
 
diff --git a/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden b/pkg/workflow/testdata/TestWasmGolden_AllEngines/copilot.golden
@@ -480,8 +480,8 @@ jobs:
                 "type": "stdio",
                 "container": "ghcr.io/github/github-mcp-server:v1.4.0",
                 "env": {
-                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
-                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+                  "GITHUB_HOST": "\\${GITHUB_SERVER_URL}",
+                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
                   "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                 },
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/basic-copilot.golden
@@ -480,8 +480,8 @@ jobs:
                 "type": "stdio",
                 "container": "ghcr.io/github/github-mcp-server:v1.4.0",
                 "env": {
-                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
-                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+                  "GITHUB_HOST": "\\${GITHUB_SERVER_URL}",
+                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
                   "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                 },
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/playwright-cli-mode.golden
@@ -500,8 +500,8 @@ jobs:
                 "type": "stdio",
                 "container": "ghcr.io/github/github-mcp-server:v1.4.0",
                 "env": {
-                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
-                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+                  "GITHUB_HOST": "\\${GITHUB_SERVER_URL}",
+                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
                   "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                 },
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/smoke-copilot.golden
@@ -694,8 +694,8 @@ jobs:
                 "type": "stdio",
                 "container": "ghcr.io/github/github-mcp-server:v1.4.0",
                 "env": {
-                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
-                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+                  "GITHUB_HOST": "\\${GITHUB_SERVER_URL}",
+                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
                   "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                 },
diff --git a/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden b/pkg/workflow/testdata/TestWasmGolden_CompileFixtures/with-imports.golden
@@ -481,8 +481,8 @@ jobs:
                 "type": "stdio",
                 "container": "ghcr.io/github/github-mcp-server:v1.4.0",
                 "env": {
-                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
-                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
+                  "GITHUB_HOST": "\\${GITHUB_SERVER_URL}",
+                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
                   "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
                 },

Original file line number	Diff line number	Diff line change
`@@ -255,10 +255,10 @@ This is a test workflow for GitHub remote mode configuration.`
`255`	`255`	`}`
`256`	`256`	`// For Copilot engine, check for new ${} syntax`
`257`	`257`	`if tt.engineType == "copilot" {`
`258`		- if !strings.Contains(lockContent, `"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
	`258`	+ if !strings.Contains(lockContent, `"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
`259`	`259`	`t.Errorf("Expected Authorization header with ${GITHUB_PERSONAL_ACCESS_TOKEN} syntax but didn't find it in:\n%s", lockContent)`
`260`	`260`	`}`
`261`		- if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`) {
	`261`	+ if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`) {
`262`	`262`	`t.Errorf("Expected env section with GITHUB_PERSONAL_ACCESS_TOKEN passthrough but didn't find it in:\n%s", lockContent)`
`263`	`263`	`}`
`264`	`264`	`} else {`
`@@ -455,12 +455,12 @@ This tests that GITHUB_PERSONAL_ACCESS_TOKEN is exported and passed to Docker.`
`455`	`455`	`}`
`456`	`456`
`457`	`457`	`// Check that the MCP config still uses the ${} syntax`
`458`		- if !strings.Contains(lockContent, `"Authorization": "Bearer \${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
	`458`	+ if !strings.Contains(lockContent, `"Authorization": "Bearer \\${GITHUB_PERSONAL_ACCESS_TOKEN}"`) {
`459`	`459`	`t.Errorf("Expected Authorization header with ${GITHUB_PERSONAL_ACCESS_TOKEN} syntax but didn't find it in lock file")`
`460`	`460`	`}`
`461`	`461`
`462`	`462`	`// Check that the env section still defines the variable`
`463`		- if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`) {
	`463`	+ if !strings.Contains(lockContent, `"GITHUB_PERSONAL_ACCESS_TOKEN": "\\${GITHUB_MCP_SERVER_TOKEN}"`) {
`464`	`464`	`t.Errorf("Expected env section with GITHUB_PERSONAL_ACCESS_TOKEN but didn't find it in lock file")`
`465`	`465`	`}`
`466`	`466`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package workflow`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+ "encoding/json"`
`4`	`5`	`"fmt"`
`5`	`6`	`"strings"`
`6`	`7`	`)`
`@@ -11,7 +12,9 @@ func writeJSONStringMapEntries(yaml *strings.Builder, values map[string]string,`
`11`	`12`	`if i == len(values)-1 {`
`12`	`13`	`comma = ""`
`13`	`14`	`}`
`14`		`- fmt.Fprintf(yaml, "%s\"%s\": \"%s\"%s\n", indent, key, values[key], comma)`
	`15`	`+ encodedKey, _ := json.Marshal(key) //nolint:jsonmarshalignorederror // marshaling a string cannot fail`
	`16`	`+ encodedValue, _ := json.Marshal(values[key]) //nolint:jsonmarshalignorederror // marshaling a string cannot fail`
	`17`	`+ fmt.Fprintf(yaml, "%s%s: %s%s\n", indent, encodedKey, encodedValue, comma)`
`15`	`18`	`}`
`16`	`19`	`}`
`17`	`20`