ros/automaker
1
0
Fork 0
mirror of https://github.com/AutoMaker-Org/automaker.git synced 2026-02-05 09:33:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Update fetchLinkedPRs to prevent shell injection vulnerabilities

Browse Source 
- Modified the fetchLinkedPRs function to use JSON.stringify for the request body, ensuring safe input handling when spawning the GitHub CLI command.
- Changed the command to read the query from stdin using the --input flag, enhancing security against shell injection risks.
This commit is contained in:
Kacper
2025-12-24 01:41:05 +01:00
parent 7b61a274e5
commit 1ff617703c
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
apps/server/src/routes/github/routes/list-issues.ts
View File

@@ -111,8 +111,10 @@ async function fetchLinkedPRs(
try { try {
// Use spawn with stdin to avoid shell injection vulnerabilities // Use spawn with stdin to avoid shell injection vulnerabilities
// --input - reads the JSON request body from stdin
const requestBody = JSON.stringify({ query });
const response = await new Promise<Record<string, unknown>>((resolve, reject) => { const response = await new Promise<Record<string, unknown>>((resolve, reject) => {
const gh = spawn('gh', ['api', 'graphql', '-f', 'query=-'], { const gh = spawn('gh', ['api', 'graphql', '--input', '-'], {
cwd: projectPath, cwd: projectPath,
env: execEnv, env: execEnv,
}); });
@@ -133,7 +135,7 @@ async function fetchLinkedPRs(
} }
}); });
gh.stdin.write(query); gh.stdin.write(requestBody);
gh.stdin.end(); gh.stdin.end();
}); });