security: resolve two security findings#6
Conversation
Replace the redundant fs.access existence probe with a direct fs.readFile of the extracted binary. The separate check-then-use was a time-of-check/ time-of-use race (CodeQL js/file-system-race, CWE-367); readFile already throws ENOENT if extraction did not produce the binary, so behaviour is preserved and the flagged data flow is removed. Rebuilt dist/ to match src/. Resolves: code-scanning alert bitwise-media-group#3 Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
…itwise-media-group#3 integration code downloading a fixed trusted release URL into a throwaway temp dir purely to exercise signature verification. bitwise-media-group#3 (js/file-system-race) recorded as remediated by the accompanying install fix. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
3904d4d to
4f6b725
Compare
Add an 'npm run pr' script (check:fix + format + all) as the single pre-commit gate, and an AGENTS.md instructing agents to always run it before committing so the tree is formatted, typed, tested, and dist/ stays reproducible from src/. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Add unit coverage for the TOCTOU fix in downloadAndVerify: the extracted binary is read directly (no fs.access probe) and its bytes are fed to cosign verification, and a missing binary fails fast with ENOENT before the signature bundle is downloaded. Asserts fs.access is never called, so the removed check-then-use pattern cannot regress. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
|
/auto-merge |
|
Note Auto-merge armed. Once this PR is approved and every required check Remove the |
|
Cannot
|
|
/merge |
|
Fast-forwarded |
beb2e90
into
bitwise-media-group:main
No description provided.