Skip to content

fix: Unvalidated curl commands in workflows#150

Open
mrwind-up-bird wants to merge 2 commits intoSimplyLiz:developfrom
mrwind-up-bird:autofix/b3cf0967/unvalidated-curl-commands-in-w
Open

fix: Unvalidated curl commands in workflows#150
mrwind-up-bird wants to merge 2 commits intoSimplyLiz:developfrom
mrwind-up-bird:autofix/b3cf0967/unvalidated-curl-commands-in-w

Conversation

@mrwind-up-bird
Copy link
Collaborator

@mrwind-up-bird mrwind-up-bird commented Mar 19, 2026

AutoFix: Unvalidated curl commands in workflows

Category: security
Severity: medium

Issue

Multiple workflow files use curl commands with unvalidated URLs and responses. Malicious responses could lead to command injection or data exfiltration if the CKB server is compromised.

Fix

Added security hardening to curl commands by using --fail to prevent processing of error responses, --max-time to prevent hanging requests, and proper variable quoting to prevent shell injection. These changes mitigate the risk of command injection from malicious server responses while maintaining the same functionality.

Generated by nyxCore AutoFix

@codecov
Copy link

codecov bot commented Mar 19, 2026

Codecov Report

❌ Patch coverage is 53.79630% with 998 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cmd/ckb/setup.go 0.0% 161 Missing ⚠️
internal/suggest/analyzer.go 53.6% 142 Missing and 12 partials ⚠️
internal/testgap/analyzer.go 12.3% 140 Missing and 2 partials ⚠️
internal/query/compound_refactor.go 37.1% 105 Missing and 15 partials ⚠️
internal/query/prepare_rename.go 0.0% 70 Missing ⚠️
internal/mcp/server.go 19.1% 51 Missing and 4 partials ⚠️
internal/mcp/tool_impls_compound.go 46.3% 41 Missing and 10 partials ⚠️
internal/query/prepare_move.go 63.1% 32 Missing and 6 partials ⚠️
internal/audit/analyzer.go 21.0% 30 Missing ⚠️
internal/query/compound.go 25.0% 24 Missing and 3 partials ⚠️
... and 13 more
Additional details and impacted files 
@@            Coverage Diff            @@
##           develop    #150     +/-   ##
=========================================
+ Coverage     45.1%   45.6%   +0.5%     
=========================================
  Files          350     367     +17     
  Lines        59747   61934   +2187     
=========================================
+ Hits         26961   28285   +1324     
- Misses       30960   31736    +776     
- Partials      1826    1913     +87
Flag Coverage Δ
unit 45.6% <53.7%> (+0.5%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrwind-up-bird @SimplyLiz