Skip to content

Harden Expo Go installer and command execution#2654

Merged
joj merged 10 commits into
microsoft:masterfrom
lucygramley:fix/expo-go-installer-hardening
Jun 2, 2026
Merged

Harden Expo Go installer and command execution#2654
joj merged 10 commits into
microsoft:masterfrom
lucygramley:fix/expo-go-installer-hardening

Conversation

@lucygramley

@lucygramley lucygramley commented May 20, 2026

Copy link
Copy Markdown
Contributor

Improve Expo Go installer robustness: use default TLS validation for API requests, add version string validation, and use execFile with argument arrays for shell commands (adb install, tar, xcrun simctl).

@lucygramley
Harden Expo Go installer and command execution
83ddcba 
- Use default TLS certificate validation for Expo API requests
- Add version string validation for Expo Go client versions
- Use execFile with argument arrays for adb install, tar, and xcrun simctl commands

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
joj
joj previously approved these changes May 27, 2026
View reviewed changes
@ConnorQi01

ConnorQi01 commented May 28, 2026

Copy link
Copy Markdown
Collaborator

/azp run

@azure-pipelines

azure-pipelines Bot commented May 28, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@ConnorQi01

ConnorQi01 commented May 28, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Hi @lucygramley

Thanks for the contribution and for improving the Expo Go installer command execution path.

Could you please create or link a corresponding issue for this PR? It would help us track the security concern, affected installer flow, and expected compatibility behavior.

The unit test pipeline is currently failing on Linux, Windows, and macOS. Could you please inspect the failing logs and update the PR?

For this PR, I would suggest checking the changes around mkdir, tar, adb install, and xcrun simctl execution, especially paths containing spaces. It would also help to document or test the accepted Expo Go version format, since the new validation may reject versions that were previously accepted.

@ConnorQi01

ConnorQi01 commented May 29, 2026

Copy link
Copy Markdown
Collaborator

/azp run

@azure-pipelines

azure-pipelines Bot commented May 29, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@ConnorQi01

ConnorQi01 commented May 29, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Thanks for the contribution. I noticed the pipeline is currently failing because of code formatting issues.

Could you please run the project formatting command locally, commit the formatting changes, and push the update to this PR?

One small suggestion for future PRs: when possible, please link the PR to a related issue, or create one if there is no existing issue. This helps us track the motivation, review scope, validation status, and reporting more clearly. For small or urgent fixes this may not always be necessary, but it would be helpful for changes like this.

lucygramley and others added 2 commits June 1, 2026 09:36
@lucygramley
style: fix prettier formatting issues
fb07eda 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@lucygramley
Merge branch 'master' into fix/expo-go-installer-hardening
89b1e5a
@ConnorQi01

ConnorQi01 commented Jun 2, 2026

Copy link
Copy Markdown
Collaborator

/azp run

@azure-pipelines

azure-pipelines Bot commented Jun 2, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@joj joj enabled auto-merge June 2, 2026 16:21
@joj

joj commented Jun 2, 2026

Copy link
Copy Markdown
Member

/azp run

@azure-pipelines

azure-pipelines Bot commented Jun 2, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@joj

joj commented Jun 2, 2026

Copy link
Copy Markdown
Member

/azp run

@azure-pipelines

azure-pipelines Bot commented Jun 2, 2026

Copy link
Copy Markdown
Azure Pipelines successfully started running 1 pipeline(s).

@joj joj merged commit f3a03d7 into microsoft:master Jun 2, 2026
5 checks passed
@ConnorQi01 ConnorQi01 mentioned this pull request Jun 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ConnorQi01 ConnorQi01 ConnorQi01 approved these changes

@joj joj joj left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lucygramley @ConnorQi01 @joj