fix(selfhost): validate ready retry settings#5146
Merged
Merged
Conversation
Contributor
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
JSONbored
force-pushed
the
codex/propose-fix-for-bash-arithmetic-injection
branch
from
July 12, 2026 09:01
c390f6a to
e603634
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5146 +/- ##
=======================================
Coverage 94.34% 94.34%
=======================================
Files 473 473
Lines 39965 39965
Branches 14570 14570
=======================================
Hits 37704 37704
Misses 1585 1585
Partials 676 676
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
This was referenced Jul 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
SELFHOST_READY_RETRIESandSELFHOST_READY_RETRY_DELAY_SECONDSdirectly from the environment and used them in a Bash arithmetic expansion, allowing arithmetic-expression/command-substitution injection on the failure path.Description
SELFHOST_READY_RETRIESandSELFHOST_READY_RETRY_DELAY_SECONDSas decimal integers and emit a warning and fallback to safe defaults when invalid inscripts/selfhost-post-update-check.sh.READY_TIMEOUT_SECONDSusing10#to force decimal interpretation and use it in the readiness failure message to avoid evaluating untrusted input inside$((...)).READY_TIMEOUT_SECONDSand reuse the sanitizedREADY_RETRIES/READY_RETRY_DELAY_SECONDSvalues for loop/sleep calls.test/unit/selfhost-post-update-check-script.test.tsthat runs the real script with mockeddocker,curl, andsleepto assert non-numeric injection strings do not execute and that the validated timeout calculation is reported; also regenerateworker-configuration.d.tsto satisfy local drift checks.Testing
npx vitest run test/unit/selfhost-post-update-check-script.test.tsand the two new tests passed.git diff --checkand the local formatting/checks for the changed files passed.npm run cf-typegento regenerate Cloudflare runtime types and committed the updatedworker-configuration.d.tssuccessfully.npm run test:ciandnpm audit --audit-level=moderate;test:cireachedtest:coveragewhere unrelated existing test-suite failures appeared and the run was stopped, andnpm auditreturned a403 Forbiddenfrom the registry audit endpoint (these are unrelated to the patch itself).Codex Task