Skip to content

fix: Command injection in contract check workflow#161

Open
mrwind-up-bird wants to merge 2 commits intoSimplyLiz:developfrom
mrwind-up-bird:autofix/b3cf0967/command-injection-in-contract-
Open

fix: Command injection in contract check workflow#161
mrwind-up-bird wants to merge 2 commits intoSimplyLiz:developfrom
mrwind-up-bird:autofix/b3cf0967/command-injection-in-contract-

Conversation

@mrwind-up-bird
Copy link
Collaborator

@mrwind-up-bird mrwind-up-bird commented Mar 19, 2026

AutoFix: Command injection in contract check workflow

Category: security
Severity: high

Issue

Contract file paths are directly interpolated into shell commands without sanitization, allowing path traversal and command injection via malicious file names.

Fix

The fix addresses command injection vulnerabilities by: 1) Quoting the git diff range parameter to prevent shell injection via commit hashes, 2) Using printf '%q' to safely escape file paths when echoing them to logs and reports, preventing path traversal and command injection via malicious filenames. The changes maintain the existing functionality while preventing shell metacharacters from being interpreted.

Generated by nyxCore AutoFix

@codecov
Copy link

codecov bot commented Mar 19, 2026

Codecov Report

❌ Patch coverage is 53.79630% with 998 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
cmd/ckb/setup.go 0.0% 161 Missing ⚠️
internal/suggest/analyzer.go 53.6% 142 Missing and 12 partials ⚠️
internal/testgap/analyzer.go 12.3% 140 Missing and 2 partials ⚠️
internal/query/compound_refactor.go 37.1% 105 Missing and 15 partials ⚠️
internal/query/prepare_rename.go 0.0% 70 Missing ⚠️
internal/mcp/server.go 19.1% 51 Missing and 4 partials ⚠️
internal/mcp/tool_impls_compound.go 46.3% 41 Missing and 10 partials ⚠️
internal/query/prepare_move.go 63.1% 32 Missing and 6 partials ⚠️
internal/audit/analyzer.go 21.0% 30 Missing ⚠️
internal/query/compound.go 25.0% 24 Missing and 3 partials ⚠️
... and 13 more
Additional details and impacted files 
@@            Coverage Diff            @@
##           develop    #161     +/-   ##
=========================================
+ Coverage     45.1%   45.6%   +0.5%     
=========================================
  Files          350     367     +17     
  Lines        59747   61934   +2187     
=========================================
+ Hits         26961   28274   +1313     
- Misses       30960   31744    +784     
- Partials      1826    1916     +90
Flag Coverage Δ
unit 45.6% <53.7%> (+0.5%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

📢 Thoughts on this report? Let us know!

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrwind-up-bird @SimplyLiz