fix: prevent command injection in isRepoPrivate()#973
Open
Aakeeo wants to merge 2 commits intoNVIDIA:mainfrom
Open
fix: prevent command injection in isRepoPrivate()#973Aakeeo wants to merge 2 commits intoNVIDIA:mainfrom
Aakeeo wants to merge 2 commits intoNVIDIA:mainfrom
Conversation
Replace execSync (shell string interpolation) with execFileSync (argument array) in isRepoPrivate() to prevent shell metacharacter injection via the repo parameter. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthrough
Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
bin/lib/credentials.js (1)
195-195: Consider updating toexecFileSyncfor consistency.While this line has no user input and isn't vulnerable, switching to
execFileSyncwould align with the pattern established inisRepoPrivate()and provide defense-in-depth.♻️ Optional consistency refactor
- token = execSync("gh auth token 2>/dev/null", { encoding: "utf-8" }).trim(); + token = execFileSync("gh", ["auth", "token"], { + encoding: "utf-8", + stdio: ["ignore", "pipe", "ignore"], + }).trim();🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bin/lib/credentials.js` at line 195, Replace the use of execSync when populating the token variable with execFileSync for consistency and defense-in-depth: call execFileSync with the program "gh" and arguments ["auth","token"] (preserving the { encoding: "utf-8" } and redirection behavior) and ensure the module imports/uses execFileSync from child_process instead of execSync; locate the token = execSync(...) assignment in bin/lib/credentials.js and update it to use execFileSync similarly to the pattern used in isRepoPrivate().
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@bin/lib/credentials.js`:
- Line 195: Replace the use of execSync when populating the token variable with
execFileSync for consistency and defense-in-depth: call execFileSync with the
program "gh" and arguments ["auth","token"] (preserving the { encoding: "utf-8"
} and redirection behavior) and ensure the module imports/uses execFileSync from
child_process instead of execSync; locate the token = execSync(...) assignment
in bin/lib/credentials.js and update it to use execFileSync similarly to the
pattern used in isRepoPrivate().
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 2c55a4e3-6815-43c6-a5f6-d4fa49c82b75
📒 Files selected for processing (1)
bin/lib/credentials.js
Address CodeRabbit review feedback — switch the remaining execSync call in ensureGithubToken() to execFileSync and drop the now-unused execSync import. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace execSync (shell string interpolation) with execFileSync (argument array) in isRepoPrivate() to prevent shell metacharacter injection via the repo parameter.
Summary
isRepoPrivate()inbin/lib/credentials.jspasses therepoparameter directly into anexecSync()template literal, which spawns a shell. Although the only current call site uses a hardcoded string, the function isexported and accepts arbitrary input — any future caller passing user-derived data (e.g. a git remote, CLI argument) would allow arbitrary command execution. This replaces it with
execFileSync()which bypasses the shellentirely.
Related Issue
N/A — discovered during a security audit of the codebase.
Changes
execSyncwithexecFileSyncinisRepoPrivate()to pass arguments as an array instead of interpolating into a shell stringexecFileSyncto thechild_processimport (retainexecSyncfor the existinggh auth tokencall inensureGithubToken())Type of Change
Testing
npx prek run --all-filespasses (or equivalentlymake check).npm testpasses.make docsbuilds without warnings. (for doc-only changes)Checklist
General
Code Changes
npx prek run --all-filesauto-fixes formatting (ormake formatfor targeted runs).Doc Changes
N/A
Summary by CodeRabbit