Update main.nf#41
Conversation
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
More reviews will be available in 56 minutes and 3 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughTwo targeted corrections in ChangesONSITE command construction corrections
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@modules/bigbio/onsite/main.nf`:
- Around line 85-88: The shell command construction is vulnerable to injection
because user-supplied parameters wrapped in single quotes are not escaped—an
attacker could inject a single quote to break out of the quoting context. Escape
embedded single quotes in each user-supplied parameter before interpolation for
the variables target_mods, neutral_losses, decoy_mass, and decoy_losses. Apply
the standard shell idiom pattern to each `params.onsite_*` reference to convert
any embedded single quotes into a safe format that terminates the quoted string,
appends an escaped quote, and resumes quoting, ensuring that malicious input
cannot break the command structure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 2f4186be-3726-4e2f-bd98-758ac9c5fa92
📒 Files selected for processing (1)
modules/bigbio/onsite/main.nf
| def target_mods = params.onsite_target_modifications ? "--target-modifications '${params.onsite_target_modifications}'" : "--target-modifications 'Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)'" | ||
| def neutral_losses = params.onsite_neutral_losses ? "--neutral-losses '${params.onsite_neutral_losses}'" : "--neutral-losses 'sty -H3PO4 -97.97690'" | ||
| def decoy_mass = params.onsite_decoy_mass ? "--decoy-mass ${params.onsite_decoy_mass}" : "--decoy-mass 79.966331" | ||
| def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses ${params.onsite_decoy_neutral_losses}" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'" | ||
| def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses '${params.onsite_decoy_neutral_losses}'" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'" |
There was a problem hiding this comment.
Shell injection vulnerability: unescaped single quotes in user-supplied parameters.
Wrapping user-supplied values in single quotes does not prevent shell injection if the value itself contains a single quote. An attacker could break out of the quoting context.
Example: If params.onsite_target_modifications = "Phospho(S)'; rm -rf /; echo '", the resulting command becomes:
--target-modifications 'Phospho(S)'; rm -rf /; echo ''Escape embedded single quotes before interpolation:
🛡️ Proposed fix: escape single quotes in user values
// Optional target modifications - default for LucXor includes decoy
- def target_mods = params.onsite_target_modifications ? "--target-modifications '${params.onsite_target_modifications}'" : "--target-modifications 'Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)'"
- def neutral_losses = params.onsite_neutral_losses ? "--neutral-losses '${params.onsite_neutral_losses}'" : "--neutral-losses 'sty -H3PO4 -97.97690'"
+ def target_mods_val = params.onsite_target_modifications ? params.onsite_target_modifications.toString().replaceAll(/'/, "'\"'\"'") : "Phospho(S),Phospho(T),Phospho(Y),PhosphoDecoy(A)"
+ def target_mods = "--target-modifications '${target_mods_val}'"
+ def neutral_losses_val = params.onsite_neutral_losses ? params.onsite_neutral_losses.toString().replaceAll(/'/, "'\"'\"'") : "sty -H3PO4 -97.97690"
+ def neutral_losses = "--neutral-losses '${neutral_losses_val}'"
def decoy_mass = params.onsite_decoy_mass ? "--decoy-mass ${params.onsite_decoy_mass}" : "--decoy-mass 79.966331"
- def decoy_losses = params.onsite_decoy_neutral_losses ? "--decoy-neutral-losses '${params.onsite_decoy_neutral_losses}'" : "--decoy-neutral-losses 'X -H3PO4 -97.97690'"
+ def decoy_losses_val = params.onsite_decoy_neutral_losses ? params.onsite_decoy_neutral_losses.toString().replaceAll(/'/, "'\"'\"'") : "X -H3PO4 -97.97690"
+ def decoy_losses = "--decoy-neutral-losses '${decoy_losses_val}'"The pattern '\"'\"' ends the single-quoted string, appends a double-quoted single quote, then resumes single quoting—a standard shell idiom for embedding literal single quotes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@modules/bigbio/onsite/main.nf` around lines 85 - 88, The shell command
construction is vulnerable to injection because user-supplied parameters wrapped
in single quotes are not escaped—an attacker could inject a single quote to
break out of the quoting context. Escape embedded single quotes in each
user-supplied parameter before interpolation for the variables target_mods,
neutral_losses, decoy_mass, and decoy_losses. Apply the standard shell idiom
pattern to each `params.onsite_*` reference to convert any embedded single
quotes into a safe format that terminates the quoted string, appends an escaped
quote, and resumes quoting, ensuring that malicious input cannot break the
command structure.
Pull Request
Description
Checklist
main.nfincludes process definitionmeta.ymlincludes complete documentationenvironment.ymlspecifies dependenciesModule Type
Related Issues
Closes #
Summary by CodeRabbit