Skip to content

ci: guard against shell injection#6965

Merged
birkskyum merged 1 commit intomainfrom
ci--guard-against-shell-injection
Mar 18, 2026
Merged

ci: guard against shell injection#6965
birkskyum merged 1 commit intomainfrom
ci--guard-against-shell-injection

Conversation

@birkskyum
Copy link
Copy Markdown
Member

@birkskyum birkskyum commented Mar 18, 2026
edited by coderabbitai bot
Loading

CI vulnerability surfaced by code rabbit:

Prevent shell injection by passing repository paths as command arguments.

relPath comes from filesystem glob results and can contain shell metacharacters. When interpolated into the execSync command string, a maliciously named package directory (e.g., query$(whoami)/package.json) would execute arbitrary commands during the release workflow. Use execFileSync with an argument array to bypass shell interpretation.

Summary by CodeRabbit

  • Chores
    • Updated internal release automation to improve reliability and efficiency of the release creation process.

@nx-cloud
Copy link
Copy Markdown
Contributor

nx-cloud bot commented Mar 18, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 35ce7a3

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ✅ Succeeded <1s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-18 00:44:35 UTC

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 18, 2026

🚀 Changeset Version Preview

No changeset entries found. Merging this PR will not cause a version bump for any packages.

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Mar 18, 2026

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/@tanstack/arktype-adapter@6965

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/@tanstack/eslint-plugin-router@6965

@tanstack/history

npm i https://pkg.pr.new/@tanstack/history@6965

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/@tanstack/nitro-v2-vite-plugin@6965

@tanstack/react-router

npm i https://pkg.pr.new/@tanstack/react-router@6965

@tanstack/react-router-devtools

npm i https://pkg.pr.new/@tanstack/react-router-devtools@6965

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/@tanstack/react-router-ssr-query@6965

@tanstack/react-start

npm i https://pkg.pr.new/@tanstack/react-start@6965

@tanstack/react-start-client

npm i https://pkg.pr.new/@tanstack/react-start-client@6965

@tanstack/react-start-server

npm i https://pkg.pr.new/@tanstack/react-start-server@6965

@tanstack/router-cli

npm i https://pkg.pr.new/@tanstack/router-cli@6965

@tanstack/router-core

npm i https://pkg.pr.new/@tanstack/router-core@6965

@tanstack/router-devtools

npm i https://pkg.pr.new/@tanstack/router-devtools@6965

@tanstack/router-devtools-core

npm i https://pkg.pr.new/@tanstack/router-devtools-core@6965

@tanstack/router-generator

npm i https://pkg.pr.new/@tanstack/router-generator@6965

@tanstack/router-plugin

npm i https://pkg.pr.new/@tanstack/router-plugin@6965

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/@tanstack/router-ssr-query-core@6965

@tanstack/router-utils

npm i https://pkg.pr.new/@tanstack/router-utils@6965

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/@tanstack/router-vite-plugin@6965

@tanstack/solid-router

npm i https://pkg.pr.new/@tanstack/solid-router@6965

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/@tanstack/solid-router-devtools@6965

@tanstack/solid-router-ssr-query

npm i https://pkg.pr.new/@tanstack/solid-router-ssr-query@6965

@tanstack/solid-start

npm i https://pkg.pr.new/@tanstack/solid-start@6965

@tanstack/solid-start-client

npm i https://pkg.pr.new/@tanstack/solid-start-client@6965

@tanstack/solid-start-server

npm i https://pkg.pr.new/@tanstack/solid-start-server@6965

@tanstack/start-client-core

npm i https://pkg.pr.new/@tanstack/start-client-core@6965

@tanstack/start-fn-stubs

npm i https://pkg.pr.new/@tanstack/start-fn-stubs@6965

@tanstack/start-plugin-core

npm i https://pkg.pr.new/@tanstack/start-plugin-core@6965

@tanstack/start-server-core

npm i https://pkg.pr.new/@tanstack/start-server-core@6965

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/@tanstack/start-static-server-functions@6965

@tanstack/start-storage-context

npm i https://pkg.pr.new/@tanstack/start-storage-context@6965

@tanstack/valibot-adapter

npm i https://pkg.pr.new/@tanstack/valibot-adapter@6965

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/@tanstack/virtual-file-routes@6965

@tanstack/vue-router

npm i https://pkg.pr.new/@tanstack/vue-router@6965

@tanstack/vue-router-devtools

npm i https://pkg.pr.new/@tanstack/vue-router-devtools@6965

@tanstack/vue-router-ssr-query

npm i https://pkg.pr.new/@tanstack/vue-router-ssr-query@6965

@tanstack/vue-start

npm i https://pkg.pr.new/@tanstack/vue-start@6965

@tanstack/vue-start-client

npm i https://pkg.pr.new/@tanstack/vue-start-client@6965

@tanstack/vue-start-server

npm i https://pkg.pr.new/@tanstack/vue-start-server@6965

@tanstack/zod-adapter

npm i https://pkg.pr.new/@tanstack/zod-adapter@6965

commit: 35ce7a3

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 18, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14fc884f-19ee-45f8-837e-793732adafd9

📥 Commits

Reviewing files that changed from the base of the PR and between 3a32ad6 and 35ce7a3.

📒 Files selected for processing (1)
  • scripts/create-github-release.mjs
📝 Walkthrough

Walkthrough

The script scripts/create-github-release.mjs is updated to use execFileSync instead of execSync for executing a git command. The import statement is modified to include execFileSync from node:child_process, and the git show invocation is refactored from a concatenated string format to an argument array format with explicit encoding and stdio configuration.

Changes

Cohort / File(s) Summary
Git Command Execution Refactoring
scripts/create-github-release.mjs		 Updated import to include execFileSync alongside execSync. Replaced execSync(\git show ...`)string invocation withexecFileSync('git', ['show', ...], { encoding: 'utf-8', stdio: [...] })` for safer argument passing and explicit stream handling.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A hop, skip, and refactor so fine,
From strings to arrays, the code does align,
Exec to ExecFile, a safer way to go,
Git commands now flow with a cleaner show! 🌟

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci--guard-against-shell-injection
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@birkskyum birkskyum merged commit 5a23ce2 into main Mar 18, 2026
6 of 7 checks passed
@birkskyum birkskyum deleted the ci--guard-against-shell-injection branch March 18, 2026 00:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@birkskyum