Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

work around cloning repos #28

Closed
wants to merge 4 commits into from
Closed

work around cloning repos #28

wants to merge 4 commits into from

Conversation

CaseyHaralson
Copy link
Contributor

cleaning previous downloads, removing .git dir, and extracting from the cloned folder

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 17, 2024
View reviewed changes
src/utils/clone.ts
await removePreviousClone(path)

return new Promise<string>((resolve, reject) => {
const child = spawn('git', ['clone', info.href, path])

Check failure

Code scanning / CodeQL

Second order command injection High

Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Command line argument that depends on
library input
Loading
can execute an arbitrary command if --upload-pack is used with git.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm going to try and commit a change to see if I can fix this

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, looks like my test didn't help. I think they are suggesting checking for a valid remote and I thought checking for "upload-pack" would work.

https://codeql.github.com/codeql-query-help/javascript/js-second-order-command-line-injection/

Copy link
Owner

@iwatakeshi iwatakeshi Feb 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I wonder if there is a way to ignore that error line or file... Unless it's necessary, then I don't mind adding checks. CodeQL can get in the way sometimes.

@iwatakeshi
Copy link
Owner

Superseded by #29

@iwatakeshi iwatakeshi closed this Feb 17, 2024
@iwatakeshi iwatakeshi mentioned this pull request Feb 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iwatakeshi iwatakeshi iwatakeshi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@CaseyHaralson @iwatakeshi