Potential fix for code scanning alert no. 5: Unvalidated dynamic method call by ialejandro · Pull Request #17 · devops-ia/self-learning-platform

ialejandro · 2026-02-15T15:26:12Z

Potential fix for https://github.com/devops-ia/self-learning-platform/security/code-scanning/5

In general, to fix unvalidated dynamic method calls, you must ensure that the property name derived from user input is only used to access a vetted set of callable functions. This usually means (a) checking that the name is in a whitelist or Map, (b) confirming the property is an own property (not coming from the prototype chain), and (c) verifying that the retrieved value is a function before calling it. If any check fails, you should handle it gracefully instead of calling the value.

For this specific code, the best minimally invasive fix is to add explicit validation around the dynamic lookups and invocations:

For the exact match on line 26–27:
- Compute const handler = exercise.terminalCommands[trimmedCommand].
- Check that Object.prototype.hasOwnProperty.call(exercise.terminalCommands, trimmedCommand) is true, and that typeof handler === "function".
- Only then call handler(currentCode).
- Otherwise, fall through to the rest of the logic so that unknown commands are handled by the later built‑in or “command not found” logic.
For the prefix matching loop on lines 31–34:
- Since Object.entries returns own enumerable properties as [pattern, handler], we already avoid prototype chain issues, but we still must ensure that handler is a function.
- Add if (typeof handler !== "function") { continue; } before invoking it.
- Keep the prefix matching logic unchanged apart from this validation.

No new imports are needed; we can use Object.prototype.hasOwnProperty.call directly. All changes are confined to src/lib/terminal/simulator.ts within the executeCommand function.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks>

+    : undefined;
+
+  if (typeof exactHandler === "function") {
+    return exactHandler(currentCode);


In general, to fix unvalidated dynamic method calls you must (a) restrict which methods can be called (whitelisting / own-property checks), (b) ensure the resolved property is actually a function before invoking it, and (c) handle any exceptions thrown by those dynamically selected handlers so that they cannot cause an unhandled runtime error or denial of service.

In this code, (a) and (b) are already in place: the exact-match lookup uses hasOwnProperty and a type check, and the prefix loop checks typeof handler === "function". The remaining improvement is to make the dynamic call itself safe by surrounding it with a try/catch so that if a handler throws, the error is translated into a controlled TerminalResponse instead of bubbling up and potentially taking down the request handler. This also helps satisfy CodeQL, which is worried about an exception stemming from a user-controlled dispatch. Concretely, in src/lib/terminal/simulator.ts we should:

Wrap exactHandler(currentCode) in a try/catch that returns a friendly error response (for example, using t.terminal.commandError if available, or a generic message) and an appropriate non-zero exit code.

Similarly, wrap handler(currentCode) inside the loop in a try/catch with the same behavior.

Keep all existing behavior intact when handlers execute successfully.

No new imports are required; we just add the try/catch blocks around the existing calls in executeCommand.

Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

## [1.1.1](v1.1.0...v1.1.1) (2026-02-15) ### Bug Fixes * Unvalidated dynamic method call ([#17](#17)) ([7f271a4](7f271a4))

github-actions · 2026-02-15T15:30:50Z

🎉 This PR is included in version 1.1.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

fix: Unvalidated dynamic method call

46d0f95

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks>

ialejandro assigned amartingarcia and ialejandro Feb 15, 2026

ialejandro requested a review from amartingarcia February 15, 2026 15:26

ialejandro marked this pull request as ready for review February 15, 2026 15:27

github-advanced-security AI found potential problems Feb 15, 2026

View reviewed changes

ialejandro and others added 3 commits February 15, 2026 16:28

fix: Workflow does not contain permissions (#18)

889d8be

Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

fix: Workflow does not contain permissions (#19)

4d31d2f

Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

fix: Workflow does not contain permissions (#20)

5c98517

Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

ialejandro merged commit 7f271a4 into main Feb 15, 2026
3 of 4 checks passed

ialejandro deleted the fix/security-improves branch February 15, 2026 15:29

github-actions Bot pushed a commit that referenced this pull request Feb 15, 2026

chore(release): 1.1.1 [skip ci]

a4943f9

## [1.1.1](v1.1.0...v1.1.1) (2026-02-15) ### Bug Fixes * Unvalidated dynamic method call ([#17](#17)) ([7f271a4](7f271a4))

github-actions Bot added the released label Feb 15, 2026

@@ -31,7 +31,14 @@
                 : undefined;
               if (typeof exactHandler === "function") {
-                return exactHandler(currentCode);
+                try {
+                  return exactHandler(currentCode);
+                } catch (error) {
+                  return {
+                    output: `Error: ${t.terminal.commandNotFound}`,
+                    exitCode: 1,
+                  };
+                }
               }
               // Check for command prefix match (e.g., "kubectl logs <pod-name>" matches "kubectl logs")
@@ -40,7 +47,14 @@
                   continue;
                 }
                 if (trimmedCommand.startsWith(pattern) || pattern.startsWith(trimmedCommand)) {
-                  return handler(currentCode);
+                  try {
+                    return handler(currentCode);
+                  } catch (error) {
+                    return {
+                      output: `Error: ${t.terminal.commandNotFound}`,
+                      exitCode: 1,
+                    };
+                  }
                 }
               }

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Potential fix for code scanning alert no. 5: Unvalidated dynamic method call#17

Potential fix for code scanning alert no. 5: Unvalidated dynamic method call#17
ialejandro merged 4 commits intomainfrom
fix/security-improves

ialejandro commented Feb 15, 2026

Uh oh!

Check failure

Copilot Autofix

Uh oh!

github-actions Bot commented Feb 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

ialejandro commented Feb 15, 2026

Uh oh!

Check failure

Uh oh!

Copilot Autofix

Uh oh!

github-actions Bot commented Feb 15, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants