Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resources: replace execSync with spawnSync #3704

Merged
merged 1 commit into from
Aug 21, 2022
Merged

resources: replace execSync with spawnSync #3704

merged 1 commit into from
Aug 21, 2022

Conversation

IvanGoncharov
Copy link
Member

Extracted from #3700

CodeQL correctly reported that we using user supplied data in our scripts
that can lead to shell injection.
Running those scripts on untrusted PRs both locally and on CI can be problematic
Note I reviewed all places and none of them can be exploited but it good practice
to switch to spawnSync if we can.
Aditional benefit it automatically solves all the issues with command arguments
being misenterpritade by the shell.

@netlify
Copy link

netlify bot commented Aug 18, 2022
edited
Loading

Deploy Preview for compassionate-pike-271cb3 ready!

Name Link
🔨 Latest commit b1311ef
🔍 Latest deploy log https://app.netlify.com/sites/compassionate-pike-271cb3/deploys/63022049effe410008e17602
😎 Deploy Preview https://deploy-preview-3704--compassionate-pike-271cb3.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@github-actions
Copy link

Hi @IvanGoncharov, I'm @github-actions bot happy to help you with this PR 👋

Supported commands

Please post this commands in separate comments and only one per comment:

  • @github-actions run-benchmark - Run benchmark comparing base and merge commits for this PR
  • @github-actions publish-pr-on-npm - Build package from this PR and publish it on NPM

@IvanGoncharov
resources: replace execSync with spawnSync
b1311ef 
Extracted from graphql#3700

CodeQL correctly reported that we using user supplied data in our scripts
that can lead to shell injection.
Running those scripts on untrusted PRs both locally and on CI can be problematic
Note I reviewed all places and none of them can be exploited but it good practice
to switch to spawnSync if we can.
Aditional benefit it automatically solves all the issues with command arguments
being misenterpritade by the shell.
@IvanGoncharov IvanGoncharov merged commit 52bcc32 into graphql:main Aug 21, 2022
@IvanGoncharov IvanGoncharov deleted the pr_branch5 branch August 21, 2022 12:23
@jasonkuhrt jasonkuhrt mentioned this pull request Oct 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
PR: internal 🏠
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@IvanGoncharov