Skip to content

Audit and remediate 74 Codacy Critical DueSoon security findings #72

Closed
#74
Closed
Audit and remediate 74 Codacy Critical DueSoon security findings#72
#74
@JohnnyVicious

Description

@JohnnyVicious
JohnnyVicious
opened on May 24, 2026

Codacy currently reports 74 SRM items that are Critical and DueSoon for main.

Source: Codacy SRM / repository quality issues queried on 2026-05-24.
Repository: JohnnyVicious/opencode-plugin-cc
Branch/commit: main / 1b304d7fe19b2459a31659ad1a6ffd260c88d274
Due date shown by Codacy SRM: 2026-06-04
Mapping used here: SRM Critical + DueSoon corresponds to Codacy quality issues with Security category and Error severity.

Acceptance criteria

  • Triage all 74 findings below as valid, false positive, or accepted risk.
  • Fix all valid findings, prioritizing command injection, SSRF/HTTP, cryptography, then file access/path findings.
  • Add focused regression coverage where behavior is security relevant.
  • Confirm Codacy no longer reports the valid remediated findings after the fixing PRs land.

Findings

  1. plugins/opencode/scripts/lib/state.mjs:47 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867959
  2. plugins/opencode/scripts/lib/fs.mjs:215 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867881
  3. scripts/bump-version.mjs:148 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867937
  4. plugins/opencode/scripts/lib/fs.mjs:214 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867940
  5. plugins/opencode/scripts/opencode-companion.mjs:1120 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867965
  6. plugins/opencode/scripts/lib/git.mjs:302 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867928
  7. plugins/opencode/scripts/lib/git.mjs:300 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867892
  8. plugins/opencode/scripts/lib/state.mjs:249 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867898
  9. plugins/opencode/scripts/safe-command.mjs:20 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867956
  10. plugins/opencode/scripts/lib/process.mjs:114 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867935
  11. plugins/opencode/scripts/lib/fs.mjs:21 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867893
  12. plugins/opencode/scripts/lib/state.mjs:72 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867964
  13. plugins/opencode/scripts/lib/process.mjs:185 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867960
  14. plugins/opencode/scripts/lib/fs.mjs:108 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867966
  15. plugins/opencode/scripts/lib/state.mjs:248 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867905
  16. plugins/opencode/scripts/lib/fs.mjs:41 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867930
  17. plugins/opencode/scripts/opencode-companion.mjs:1141 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867888
  18. plugins/opencode/scripts/opencode-companion.mjs:1117 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867950
  19. plugins/opencode/scripts/stop-review-gate-hook.mjs:101 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867943
  20. plugins/opencode/scripts/lib/state.mjs:32 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867957
  21. plugins/opencode/scripts/lib/state.mjs:70 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867907
  22. plugins/opencode/scripts/lib/state.mjs:107 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867904
  23. plugins/opencode/scripts/lib/state.mjs:43 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867942
  24. plugins/opencode/scripts/lib/fs.mjs:236 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867887
  25. plugins/opencode/scripts/lib/tracked-jobs.mjs:129 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867954
  26. plugins/opencode/scripts/lib/state.mjs:94 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867945
  27. plugins/opencode/scripts/lib/prompts.mjs:96 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867896
  28. plugins/opencode/scripts/opencode-companion.mjs:1146 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867951
  29. plugins/opencode/scripts/lib/process.mjs:209 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867962
  30. plugins/opencode/scripts/lib/opencode-server.mjs:152 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867924
  31. plugins/opencode/scripts/safe-command.mjs:111 — Cryptography — String comparisons using equality operators are vulnerable to timing attacks. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867919
  32. plugins/opencode/scripts/opencode-companion.mjs:1134 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867884
  33. plugins/opencode/scripts/lib/process.mjs:332 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867963
  34. plugins/opencode/scripts/lib/git.mjs:401 — Cryptography — Use of cryptographically weak random number generator. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867939
  35. plugins/opencode/scripts/lib/process.mjs:42 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867886
  36. plugins/opencode/scripts/lib/state.mjs:410 — Cryptography — Use of cryptographically weak random number generator. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867925
  37. plugins/opencode/scripts/opencode-companion.mjs:1119 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867899
  38. plugins/opencode/scripts/lib/opencode-server.mjs:191 — HTTP — This application allows user-controlled URLs to be passed directly to HTTP client libraries. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867932
  39. scripts/bump-version.mjs:153 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867923
  40. plugins/opencode/scripts/safe-command.mjs:151 — Cryptography — String comparisons using equality operators are vulnerable to timing attacks. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867902
  41. plugins/opencode/scripts/lib/fs.mjs:126 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867917
  42. plugins/opencode/scripts/lib/git.mjs:201 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867920
  43. plugins/opencode/scripts/lib/state.mjs:157 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867910
  44. plugins/opencode/scripts/lib/state.mjs:114 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867927
  45. plugins/opencode/scripts/lib/git.mjs:293 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867949
  46. plugins/opencode/scripts/lib/fs.mjs:113 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867933
  47. plugins/opencode/scripts/lib/state.mjs:180 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867911
  48. plugins/opencode/scripts/lib/fs.mjs:140 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867955
  49. plugins/opencode/scripts/lib/fs.mjs:225 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867915
  50. plugins/opencode/scripts/lib/fs.mjs:200 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867953
  51. plugins/opencode/scripts/lib/process.mjs:80 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867913
  52. plugins/opencode/scripts/lib/git.mjs:298 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867941
  53. plugins/opencode/scripts/lib/state.mjs:203 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867926
  54. plugins/opencode/scripts/lib/opencode-server.mjs:142 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867948
  55. plugins/opencode/scripts/lib/process.mjs:222 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867944
  56. plugins/opencode/scripts/lib/opencode-server.mjs:178 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867922
  57. plugins/opencode/scripts/lib/fs.mjs:128 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867897
  58. plugins/opencode/scripts/lib/state.mjs:147 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867885
  59. plugins/opencode/scripts/lib/git.mjs:405 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867883
  60. plugins/opencode/scripts/lib/state.mjs:145 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867900
  61. plugins/opencode/scripts/lib/opencode-server.mjs:151 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867901
  62. plugins/opencode/scripts/lib/state.mjs:206 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867914
  63. plugins/opencode/scripts/lib/fs.mjs:190 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867906
  64. plugins/opencode/scripts/lib/git.mjs:315 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867934
  65. plugins/opencode/scripts/lib/process.mjs:311 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867912
  66. plugins/opencode/scripts/lib/state.mjs:288 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867903
  67. plugins/opencode/scripts/lib/state.mjs:92 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867916
  68. plugins/opencode/scripts/lib/opencode-server.mjs:245 — CommandInjection — Found $SPAWN with {shell: platformShellOption()}. This is dangerous because this call will spawn the command using a shell process. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867961
  69. plugins/opencode/scripts/opencode-companion.mjs:117 — CommandInjection — Using non-static data to retrieve and run functions from the object is dangerous. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867890
  70. plugins/opencode/scripts/lib/state.mjs:333 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867929
  71. plugins/opencode/scripts/safe-command.mjs:190 — Cryptography — String comparisons using equality operators are vulnerable to timing attacks. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867891
  72. plugins/opencode/scripts/lib/opencode-server.mjs:416 — HTTP — This application allows user-controlled URLs to be passed directly to HTTP client libraries. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867958
  73. plugins/opencode/scripts/safe-command.mjs:135 — Cryptography — String comparisons using equality operators are vulnerable to timing attacks. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867947
  74. plugins/opencode/scripts/lib/fs.mjs:75 — FileAccess — The application dynamically constructs file or path information. Codacy: https://app.codacy.com/p/872065/issues/index?resultDataId=131484867952

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions