Add secure clone-demo.sh script with comprehensive safety features#18
Merged
Add secure clone-demo.sh script with comprehensive safety features#18
Conversation
Co-authored-by: joe10832 <103850533+joe10832@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] ## Pull Request Overview
Add secure clone-demo.sh script with comprehensive safety features
Sep 24, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive security-focused shell script for cloning and setting up demo projects with extensive safety measures to prevent accidental system damage.
- Implements multi-layered directory validation to protect critical system paths
- Adds user confirmation prompts and force mode support for destructive operations
- Provides flexible configuration options for repository URL and target directory
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| readonly PROTECTED_DIRS=( | ||
| "/" | ||
| "/bin" | ||
| "/boot" |
There was a problem hiding this comment.
There's trailing whitespace after '/boot' that should be removed for consistency.
Suggested change
| "/boot" | |
| "/boot" |
Comment on lines
+313
to
+315
| yarn install | ||
| elif command -v npm &> /dev/null; then | ||
| npm install |
There was a problem hiding this comment.
The dependency installation commands lack error handling. If yarn or npm install fails, the script continues without indication of failure, which could lead to an incomplete setup.
Suggested change
| yarn install | |
| elif command -v npm &> /dev/null; then | |
| npm install | |
| if yarn install; then | |
| print_status "$GREEN" "✅ Dependencies installed successfully with yarn." | |
| else | |
| print_status "$RED" "❌ Failed to install dependencies with yarn." | |
| exit 1 | |
| fi | |
| elif command -v npm &> /dev/null; then | |
| if npm install; then | |
| print_status "$GREEN" "✅ Dependencies installed successfully with npm." | |
| else | |
| print_status "$RED" "❌ Failed to install dependencies with npm." | |
| exit 1 | |
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR addresses critical security vulnerabilities in directory removal operations by implementing a secure
clone-demo.shscript with comprehensive safety measures.Key Security Improvements
Enhanced Portability
#!/usr/bin/env bashfor better cross-platform compatibilityset -euo pipefailto prevent script execution with errorsCritical Safety Validation
The script implements multi-layered validation before any directory removal operations:
Comprehensive Protection Against Dangerous Directory Values
/,/home,/usr, etc.readlink -fto resolve and validate absolute pathssafe_remove_directory()with multiple validation layersSecurity Testing Results
The script successfully blocks dangerous operations:
./clone-demo.sh --force /→ "Cannot remove protected directory"./clone-demo.sh --force /home→ "Cannot remove protected directory"./clone-demo.sh --force ""→ "Directory path cannot be empty"./clone-demo.sh --help→ Shows comprehensive usage and safety featuresAdditional Features
The script prevents catastrophic system damage from potentially dangerous
rm -rfcommands while maintaining all existing functionality for legitimate demo setup operations.Fixes #17.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.