Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extension asset upload #361

Open
wants to merge 28 commits into
base: master
Choose a base branch
from
Open

Extension asset upload #361

wants to merge 28 commits into from

Conversation

meetdhananifynd
Copy link
Collaborator

No description provided.

ZaidRehmanQureshi
ZaidRehmanQureshi reviewed Sep 10, 2024
View reviewed changes
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
ZaidRehmanQureshi
ZaidRehmanQureshi reviewed Sep 24, 2024
View reviewed changes
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
src/lib/ExtensionSection.ts Outdated Show resolved Hide resolved
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 27, 2024
View reviewed changes
src/lib/ExtensionSection.ts
const isNodeVersionIsGreaterThan18 =
+process.version.split('.')[0].slice(1) >= 18;
let b = exec(
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName}`,
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,

Check failure

Code scanning / CodeQL

Uncontrolled command line Critical

This command line depends on a
user-provided value
Loading
.

Copilot Autofix AI about 1 month ago

To fix the problem, we should avoid using exec with a single concatenated string that includes user input. Instead, we can use execFile or execFileSync, which allows us to pass command arguments as an array of strings. This approach is safer and mitigates the risk of command injection.

  1. Replace the exec function with execFile.
  2. Pass the command and its arguments as separate elements in an array.
  3. Ensure that the bundleName and other variables are passed as separate arguments to avoid shell interpretation.
Suggested changeset 1
src/lib/ExtensionSection.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/ExtensionSection.ts b/src/lib/ExtensionSection.ts
--- a/src/lib/ExtensionSection.ts
+++ b/src/lib/ExtensionSection.ts
@@ -26,3 +26,3 @@
 import inquirer from 'inquirer';
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import * as cheerio from 'cheerio';
@@ -549,4 +549,12 @@
                 +process.version.split('.')[0].slice(1) >= 18;
-            let b = exec(
-                `node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,
+            let b = execFile(
+                'node',
+                [
+                    VUE_CLI_PATH,
+                    'build',
+                    '--target', 'lib',
+                    'src/index.js',
+                    '--name', bundleName,
+                    '--filename', `${assetHash}_${bundleName}`
+                ],
                 {
EOF
@@ -26,3 +26,3 @@
import inquirer from 'inquirer';
import { exec } from 'child_process';
import { execFile } from 'child_process';
import * as cheerio from 'cheerio';
@@ -549,4 +549,12 @@
+process.version.split('.')[0].slice(1) >= 18;
let b = exec(
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,
let b = execFile(
'node',
[
VUE_CLI_PATH,
'build',
'--target', 'lib',
'src/index.js',
'--name', bundleName,
'--filename', `${assetHash}_${bundleName}`
],
{
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZaidRehmanQureshi ZaidRehmanQureshi ZaidRehmanQureshi left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@meetdhananifynd @ZaidRehmanQureshi