Skip to content

Extension asset upload #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
meetdhananifynd wants to merge 28 commits into
base: master
Choose a base branch
from
Open

Extension asset upload #361

meetdhananifynd wants to merge 28 commits into from

Conversation

@meetdhananifynd
Copy link
Contributor

@meetdhananifynd meetdhananifynd commented Sep 3, 2024

No description provided.

ZaidRehmanQureshi
ZaidRehmanQureshi reviewed Sep 10, 2024
View reviewed changes
ZaidRehmanQureshi
ZaidRehmanQureshi reviewed Sep 24, 2024
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 27, 2024
View reviewed changes
src/lib/ExtensionSection.ts
+process.version.split('.')[0].slice(1) >= 18;
let b = exec(
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName}`,
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,

Check failure

Code scanning / CodeQL

Uncontrolled command line

This command line depends on a [user-provided value](1).

Copilot Autofix

AI over 1 year ago

To fix the problem, we should avoid using exec with a single concatenated string that includes user input. Instead, we can use execFile or execFileSync, which allows us to pass command arguments as an array of strings. This approach is safer and mitigates the risk of command injection.

  1. Replace the exec function with execFile.
  2. Pass the command and its arguments as separate elements in an array.
  3. Ensure that the bundleName and other variables are passed as separate arguments to avoid shell interpretation.
Suggested changeset 1
src/lib/ExtensionSection.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/lib/ExtensionSection.ts b/src/lib/ExtensionSection.ts
--- a/src/lib/ExtensionSection.ts
+++ b/src/lib/ExtensionSection.ts
@@ -26,3 +26,3 @@
 import inquirer from 'inquirer';
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import * as cheerio from 'cheerio';
@@ -549,4 +549,12 @@
                 +process.version.split('.')[0].slice(1) >= 18;
-            let b = exec(
-                `node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,
+            let b = execFile(
+                'node',
+                [
+                    VUE_CLI_PATH,
+                    'build',
+                    '--target', 'lib',
+                    'src/index.js',
+                    '--name', bundleName,
+                    '--filename', `${assetHash}_${bundleName}`
+                ],
                 {
EOF
@@ -26,3 +26,3 @@
import inquirer from 'inquirer';
import { exec } from 'child_process';
import { execFile } from 'child_process';
import * as cheerio from 'cheerio';
@@ -549,4 +549,12 @@
+process.version.split('.')[0].slice(1) >= 18;
let b = exec(
`node ${VUE_CLI_PATH} build --target lib src/index.js --name ${bundleName} --filename ${assetHash}_${bundleName}`,
let b = execFile(
'node',
[
VUE_CLI_PATH,
'build',
'--target', 'lib',
'src/index.js',
'--name', bundleName,
'--filename', `${assetHash}_${bundleName}`
],
{
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZaidRehmanQureshi ZaidRehmanQureshi ZaidRehmanQureshi left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@meetdhananifynd @ZaidRehmanQureshi