Ultra review — master full-codebase audit
This tracking issue collects the HIGH-severity findings from an ultra code review of the whole src/ tree on master. Each finding was independently adversarially verified before inclusion; one candidate (shell injection via apify run --entrypoint) was refuted and excluded as self-inflicted (no trust boundary crossed).
Sub-issues (HIGH only):
MEDIUM/LOW findings (token leak under APIFY_CLI_DEBUG, world-readable auth.json, corrupt legacy apify.json, choices-validation bypass, ResponsiveTable row accumulation, node:process import convention) were also identified but are out of scope for this tracker.
Generated by an ultra code review.
Ultra review —
masterfull-codebase auditThis tracking issue collects the HIGH-severity findings from an ultra code review of the whole
src/tree onmaster. Each finding was independently adversarially verified before inclusion; one candidate (shell injection viaapify run --entrypoint) was refuted and excluded as self-inflicted (no trust boundary crossed).Sub-issues (HIGH only):
minItemsvalidation (validation bypass) —src/lib/input_schema.tsapify runexits 0 when the Actor fails —src/commands/run.tsapify actors pullvia API-supplied filenames —src/commands/actors/pull.tsoutputJobLogcrashes when a job log is missing —src/lib/utils.tsactor set-value KEYwith no value doesn't delete the record —src/commands/actor/set-value.tsMEDIUM/LOW findings (token leak under
APIFY_CLI_DEBUG, world-readableauth.json, corrupt legacyapify.json, choices-validation bypass,ResponsiveTablerow accumulation,node:processimport convention) were also identified but are out of scope for this tracker.Generated by an ultra code review.