Skip to content

Update main.nf#41

Merged
daichengxin merged 2 commits into
bigbio:mainfrom
daichengxin:main
Jun 14, 2026
Merged

Update main.nf#41
daichengxin merged 2 commits into
bigbio:mainfrom
daichengxin:main

Conversation

@daichengxin

@daichengxin daichengxin commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Pull Request

Description

Checklist

  • Module follows nf-core standards
  • main.nf includes process definition
  • meta.yml includes complete documentation
  • environment.yml specifies dependencies
  • Tests are included
  • Code is formatted (prettier)
  • CI checks pass

Module Type

  • New module
  • Module update
  • Bug fix
  • Documentation

Related Issues

Closes #

Summary by CodeRabbit

  • Bug Fixes
    • Updated fragment unit parameter handling for ascore and phosphors algorithms to use correct source parameters.
    • Enhanced CLI argument formatting in lucxor algorithm to properly quote user-provided values for target modifications, neutral losses, and decoy configurations while preserving default parameter behavior.

@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@daichengxin, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 3 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c25b562b-94f4-49fb-ab63-74d80fb3567c

📥 Commits

Reviewing files that changed from the base of the PR and between 63a9219 and 8242ec6.

📒 Files selected for processing (1)
  • modules/bigbio/onsite/main.nf
📝 Walkthrough

Walkthrough

Two targeted corrections in modules/bigbio/onsite/main.nf: the fragment_unit parameter source for the ascore and phosphors algorithm branches is renamed from params.onsite_fragment_unit to params.onsite_fragment_error_units, and the lucxor branch gains single-quote wrapping around user-supplied values for --target-modifications, --neutral-losses, and --decoy-neutral-losses.

Changes

ONSITE command construction corrections

Layer / File(s) Summary
fragment_unit parameter rename (ascore & phosphors)
modules/bigbio/onsite/main.nf
Both ascore and phosphors branches now read fragment_unit from params.onsite_fragment_error_units instead of the previously referenced params.onsite_fragment_unit.
lucxor CLI argument quoting
modules/bigbio/onsite/main.nf
--target-modifications, --neutral-losses, and --decoy-neutral-losses in the lucxor branch now interpolate user-provided values wrapped in single quotes; default argument strings remain quoted; --decoy-mass is unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • bigbio/nf-modules#22: Modifies the same ascore/phosphors command construction in modules/bigbio/onsite/main.nf around --fragment-mass-unit arguments, directly overlapping with the fragment-unit parameter changes here.

Suggested reviewers

  • ypriverol

Poem

🐇 Hop hop, a parameter name was wrong,
fragment_unit sang a different song!
Single quotes now cuddle each arg with care,
lucxor's modifications float through the air.
Fixed and tidy, the pipeline hops along~ 🌿

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'Update main.nf' is vague and generic, providing no meaningful information about the actual changes made to the file. Revise the title to be more specific and descriptive of the main changes, such as 'Update ONSITE Nextflow process parameters for fragment units and CLI argument quoting' to clearly communicate the purpose of the modifications.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codacy-production

codacy-production Bot commented Jun 14, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@modules/bigbio/onsite/main.nf`:
- Around line 85-88: The shell command construction is vulnerable to injection
because user-supplied parameters wrapped in single quotes are not escaped—an
attacker could inject a single quote to break out of the quoting context. Escape
embedded single quotes in each user-supplied parameter before interpolation for
the variables target_mods, neutral_losses, decoy_mass, and decoy_losses. Apply
the standard shell idiom pattern to each `params.onsite_*` reference to convert
any embedded single quotes into a safe format that terminates the quoted string,
appends an escaped quote, and resumes quoting, ensuring that malicious input
cannot break the command structure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2f4186be-3726-4e2f-bd98-758ac9c5fa92

📥 Commits

Reviewing files that changed from the base of the PR and between 18d45a9 and 63a9219.

📒 Files selected for processing (1)
  • modules/bigbio/onsite/main.nf

Comment on lines +85 to +88
def target_mods = params.onsite_target_modifications ? "--target-modifications '${params.onsite_target_modifications}'" : "--target-modifications 'Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)'"
def neutral_losses = params.onsite_neutral_losses ? "--neutral-losses '${params.onsite_neutral_losses}'" : "--neutral-losses 'sty -H3PO4 -97.97690'"
def decoy_mass = params.onsite_decoy_mass ? "--decoy-mass ${params.onsite_decoy_mass}" : "--decoy-mass 79.966331"
def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses ${params.onsite_decoy_neutral_losses}" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'"
def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses '${params.onsite_decoy_neutral_losses}'" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Shell injection vulnerability: unescaped single quotes in user-supplied parameters.

Wrapping user-supplied values in single quotes does not prevent shell injection if the value itself contains a single quote. An attacker could break out of the quoting context.

Example: If params.onsite_target_modifications = "Phospho(S)'; rm -rf /; echo '", the resulting command becomes:

--target-modifications 'Phospho(S)'; rm -rf /; echo ''

Escape embedded single quotes before interpolation:

🛡️ Proposed fix: escape single quotes in user values
         // Optional target modifications - default for LucXor includes decoy
-        def target_mods = params.onsite_target_modifications ? "--target-modifications '${params.onsite_target_modifications}'" : "--target-modifications 'Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)'"
-        def neutral_losses = params.onsite_neutral_losses ? "--neutral-losses '${params.onsite_neutral_losses}'" : "--neutral-losses 'sty -H3PO4 -97.97690'"
+        def target_mods_val = params.onsite_target_modifications ? params.onsite_target_modifications.toString().replaceAll(/'/, "'\"'\"'") : "Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)"
+        def target_mods = "--target-modifications '${target_mods_val}'"
+        def neutral_losses_val = params.onsite_neutral_losses ? params.onsite_neutral_losses.toString().replaceAll(/'/, "'\"'\"'") : "sty -H3PO4 -97.97690"
+        def neutral_losses = "--neutral-losses '${neutral_losses_val}'"
         def decoy_mass = params.onsite_decoy_mass ? "--decoy-mass ${params.onsite_decoy_mass}" : "--decoy-mass 79.966331"
-        def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses '${params.onsite_decoy_neutral_losses}'" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'"
+        def decoy_losses_val = params.onsite_decoy_neutral_losses ? params.onsite_decoy_neutral_losses.toString().replaceAll(/'/, "'\"'\"'") : "X -H3PO4 -97.97690"
+        def decoy_losses = "--decoy-neutral-losses '${decoy_losses_val}'"

The pattern '\"'\"' ends the single-quoted string, appends a double-quoted single quote, then resumes single quoting—a standard shell idiom for embedding literal single quotes.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@modules/bigbio/onsite/main.nf` around lines 85 - 88, The shell command
construction is vulnerable to injection because user-supplied parameters wrapped
in single quotes are not escaped—an attacker could inject a single quote to
break out of the quoting context. Escape embedded single quotes in each
user-supplied parameter before interpolation for the variables target_mods,
neutral_losses, decoy_mass, and decoy_losses. Apply the standard shell idiom
pattern to each `params.onsite_*` reference to convert any embedded single
quotes into a safe format that terminates the quoted string, appends an escaped
quote, and resumes quoting, ensuring that malicious input cannot break the
command structure.

@daichengxin daichengxin merged commit 7be544a into bigbio:main Jun 14, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant