Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't concatenate shell arguments. #1974

Merged
merged 6 commits into from
Oct 26, 2024
Merged

Don't concatenate shell arguments. #1974

merged 6 commits into from
Oct 26, 2024

Conversation

brendandburns
Copy link
Contributor

Fixes https://github.com/kubernetes-client/javascript/security/code-scanning/17

To fix the problem, we should avoid using proc.execSync with a dynamically constructed command string. Instead, we can use child_process.execFileSync, which takes the command and its arguments as separate parameters, thus avoiding shell interpretation of the arguments. This change will ensure that the arguments are passed safely to the command without the risk of command injection.

Steps to fix:

  1. Replace the use of proc.execSync with proc.execFileSync.
  2. Split the command and its arguments into separate parameters for execFileSync.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@brendandburns @github-advanced-security
Don't concatenate the string arguments.
aa6e2e3 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. labels Oct 24, 2024
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 24, 2024
@brendandburns brendandburns changed the title Fix code scanning alert no. 17: Unsafe shell command constructed from library input Don't concatenate shell arguments. Oct 24, 2024
@brendandburns brendandburns removed do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. labels Oct 24, 2024
@brendandburns brendandburns marked this pull request as ready for review October 24, 2024 18:21
@k8s-ci-robot k8s-ci-robot added do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 24, 2024
mstruebing
mstruebing reviewed Oct 25, 2024
View reviewed changes
Copy link
Member

@mstruebing mstruebing left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like the tests are failing for a weird reason.

It's a buffer: '{"token":{"accessToken":"token"}}' and it seems like the leading and trailing ' are responsible.

I've pushed a commit which fixes one of the failing tests.
I did not look to deep into it, but the "fix" seems hacky and weird to me.
Just want to save you some time if you have a look later, feel free to drop/change that commit in any way you want.

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 25, 2024
@brendandburns
Copy link
Contributor Author

@mstruebing I added a fix which I think is more correct, removing leading/trailing quote marks for each arg.

@k8s-ci-robot
Copy link
Contributor

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

  • aa6e2e3 Don't concatenate the string arguments.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@mstruebing
Copy link
Member

/lgtm
/approve

Thanks 🚀

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 26, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, mstruebing

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [brendandburns,mstruebing]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@brendandburns brendandburns merged commit 8a0dae5 into master Oct 26, 2024
6 of 7 checks passed
@mstruebing mstruebing deleted the alert-autofix-17 branch November 19, 2024 13:34
@k8s-ci-robot k8s-ci-robot mentioned this pull request Dec 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mstruebing mstruebing mstruebing left review comments

@davidgamero davidgamero Awaiting requested review from davidgamero

Assignees

@mstruebing mstruebing

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brendandburns @k8s-ci-robot @mstruebing