V12 #2102
V12 #2102
Conversation
|
HerrTopi
force-pushed
the
v12
branch
2 times, most recently
from
1f5fd86 to
ca9bbbf
Compare
|
|
HerrTopi
force-pushed
the
v12
branch
2 times, most recently
from
05fa616 to
36c320d
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| function bootstrap() { | ||
| execSync(path.resolve('scripts/clean.js'), opts) |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
To fix this vulnerability and avoid misinterpretation of a file path passed to the shell, the project should explicitly invoke the script using the Node.js interpreter and pass the path as an argument, rather than passing the resolved path directly as the shell command to execSync. The best practice is to use execFileSync("node", [path.resolve("scripts/clean.js")], opts) instead. This approach ensures that the file path is not interpreted by the shell, and special characters, spaces, or shell metacharacters in the path cannot alter command execution. The edit should be made only on line 68 in scripts/bootstrap.js, replacing the usage of execSync for executing the clean script.
| @@ -65,7 +65,11 @@ | ||
| } | ||
|
|
||
| function bootstrap() { | ||
| execSync(path.resolve('scripts/clean.js'), opts) | ||
| require('child_process').execFileSync( | ||
| 'node', | ||
| [path.resolve('scripts/clean.js')], | ||
| opts | ||
| ); | ||
| buildProject() | ||
| } | ||
|
|
…edTokens to generateStyles INSTUI-4846
remove require path, because it was used to import from the deprecated 'canvas-theme', 'canvar-high-contrast-theme' packages remove functional theme support, it was used only for Avatar useStyle no longer needs generateComponentTheme since this is not used by new themes
No description provided.