Skip to content

Potential fix for code scanning alert no. 1: Uncontrolled command line #22

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ShankarWarang wants to merge 1 commit into
base: milestone-2
Choose a base branch
from
Draft

Potential fix for code scanning alert no. 1: Uncontrolled command line #22

ShankarWarang wants to merge 1 commit into from

Conversation

@ShankarWarang
Copy link
Member

@ShankarWarang ShankarWarang commented Jan 5, 2026

Potential fix for https://github.com/edgeware-network/agent-dot/security/code-scanning/1

General approach: avoid spawning a shell with a concatenated string. Instead, invoke the package manager executable directly using execFileSync (or spawnSync) and pass command and arguments as an array of strings. This prevents shell metacharacters in user input from being interpreted by a shell.

Best concrete fix here:

  1. Replace the final execSync call with execFileSync from child_process.
  2. Construct an argument array where:
    • The first element is the subcommand (e.g. install, run, etc.).
    • Remaining elements are the rest of the CLI arguments.
  3. To preserve behavior, we should not naïvely join and re-split command by whitespace, as that would break quoted arguments. Instead, we can:
    • Keep process.argv.slice(2) in an array, and
    • Derive subcommand and args from that array (no need to ever create the command string).
  4. Continue to use execSync for the version checks (bun --version, pnpm --version), as those do not involve untrusted data.

Concretely, in scripts/run-with-pm.cjs:

  • Keep const pm = detectPackageManager();.
  • Replace const command = process.argv.slice(2).join(" "); with const argv = process.argv.slice(2);.
  • Adjust the “no command” guard to check argv.length.
  • Extract subcommand = argv[0] and args = argv.slice(1) and call: 
    execFileSync(pm, [subcommand, ...args], { stdio: "inherit" });
  • Import execFileSync alongside execSync.

This change keeps the semantics of “run the chosen package manager with the supplied arguments” without exposing a shell injection surface.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@ShankarWarang @github-advanced-security
fix for uncontrolled command line
e0bffcb 
Code that passes untrusted user input directly to child_process.exec or similar APIs that execute shell commands allows the user to execute malicious code.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vercel
Copy link

vercel bot commented Jan 5, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
agent-dot Ready Ready Preview, Comment Jan 5, 2026 6:58pm

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 5, 2026
View reviewed changes
scripts/run-with-pm.cjs
const argv = process.argv.slice(2);

if (!command) {
if (argv.length === 0) {

Check failure

Code scanning / CodeQL

User-controlled bypass of security check High

This condition guards a sensitive
action
Loading
, but a
user-provided value
Loading
controls it.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShankarWarang