Skip to content
This repository was archived by the owner on Sep 11, 2025. It is now read-only.

Fix vulnerability in AssemblyScript SDK install script#435

Merged
mattjohnsonpint merged 3 commits intomainfrom
autofix/alert-1-6ab08a35aa
Oct 8, 2024
Merged

Fix vulnerability in AssemblyScript SDK install script#435
mattjohnsonpint merged 3 commits intomainfrom
autofix/alert-1-6ab08a35aa

Conversation

@mattjohnsonpint
Copy link
Contributor

@mattjohnsonpint mattjohnsonpint commented Oct 8, 2024
edited
Loading

Fixes https://github.com/hypermodeinc/modus/security/code-scanning/1

To fix the problem, we should avoid using execSync with a concatenated command string that includes unsanitized environment variables. Instead, we can use execFileSync which accepts command arguments as an array of strings, thus avoiding the risk of command injection.

  • Replace the execSync call with execFileSync.
  • Construct the command arguments as an array, ensuring that each part of the command is a separate element in the array.
  • Import the necessary execFileSync function from the child_process module.

mattjohnsonpint and others added 2 commits October 7, 2024 17:57
@mattjohnsonpint @github-advanced-security
Fix code scanning alert no. 1: Indirect uncontrolled command line
208eb67 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mattjohnsonpint
prettify
40c8c74
@mattjohnsonpint mattjohnsonpint marked this pull request as ready for review October 8, 2024 01:02
@mattjohnsonpint mattjohnsonpint requested a review from a team October 8, 2024 01:02
@mattjohnsonpint mattjohnsonpint changed the title Fix code scanning alert no. 1: Indirect uncontrolled command line Fix vulnerability in AssemblyScript SDK install script Oct 8, 2024
@mattjohnsonpint mattjohnsonpint enabled auto-merge (squash) October 8, 2024 01:04
@mattjohnsonpint mattjohnsonpint merged commit 03f5bcc into main Oct 8, 2024
@mattjohnsonpint mattjohnsonpint deleted the autofix/alert-1-6ab08a35aa branch October 8, 2024 02:01
@mattjohnsonpint mattjohnsonpint added this to the v0.13.0 milestone Oct 8, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@jairad26 jairad26 jairad26 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

v0.13.0

Development

Successfully merging this pull request may close these issues.

2 participants

@mattjohnsonpint @jairad26