chore(ci): add deprecate action;#10591
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 2/5
- There is a high-confidence security risk in
.github/workflows/deprecate.yml:workflow_dispatchinput is interpolated directly into arunshell command, which can enable command injection. - Because this issue is severity 8/10 with clear user-controlled input reaching shell execution, it is a strong merge risk and should be fixed before merging.
- Pay close attention to
.github/workflows/deprecate.yml- sanitize/validate dispatch inputs and pass them through environment variables instead of direct shell interpolation.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/deprecate.yml">
<violation number="1" location=".github/workflows/deprecate.yml:28">
P1: Do not interpolate `workflow_dispatch` input directly into a `run` shell command; validate and pass it via environment variables first to prevent command injection.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| - name: Deprecate selected version | ||
| run: | | ||
| echo "Deprecating axios@${{ github.event.inputs.version }}" | ||
| npm deprecate axios@${{ github.event.inputs.version }} "🚨 SECURITY: compromised dependency (plain-crypto-js). DO NOT USE. Downgrade to 1.13.6" |
There was a problem hiding this comment.
P1: Do not interpolate workflow_dispatch input directly into a run shell command; validate and pass it via environment variables first to prevent command injection.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/deprecate.yml, line 28:
<comment>Do not interpolate `workflow_dispatch` input directly into a `run` shell command; validate and pass it via environment variables first to prevent command injection.</comment>
<file context>
@@ -0,0 +1,30 @@
+ - name: Deprecate selected version
+ run: |
+ echo "Deprecating axios@${{ github.event.inputs.version }}"
+ npm deprecate axios@${{ github.event.inputs.version }} "🚨 SECURITY: compromised dependency (plain-crypto-js). DO NOT USE. Downgrade to 1.13.6"
+ env:
+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
</file context>
|
@DigitalBrainJS The issue calling out this compromised version was deleted. Was this intentional? |
|
Why does it recommend 1.13.6 instead of 1.14.0? |
|
@codythatsme no it was not |
Yes, it was. https://github.com/axios/axios/issues/10590 There were at least 3 other issues that got deleted after this one. Good to see the current one stay up though. Good luck getting everything contained ❤️ |
|
thanks i meant it was not actively me, ie attacker did this |
This reverts commit e2bed7f.
|
@haoqunjiang It was the middle of the night when I was alerted to issue #10590 with the word "malicious." While I was waking up and trying to figure out what was going on, version |
4 participants
No description provided.