fix(ci): prevent Node.js code injection in plugin directory name

Replace `node -e` with `jq` for reading plugin package names in the
coverage workflow. The previous approach interpolated $plugin_dir
directly into a JavaScript expression, which could allow code injection
via crafted directory names.

Closes #913

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fireddd 2026-04-10 02:08:01 +05:30
parent cfc87877a1
commit 23f4bd6bfe
1 changed files with 1 additions and 1 deletions

View File

@ -76,7 +76,7 @@ jobs:
# Run coverage for each changed plugin
for plugin_dir in $(echo "$CHANGED" | grep '^packages/plugins/' | cut -d/ -f1-3 | sort -u); do
if [ -f "$plugin_dir/package.json" ]; then
pkg_name=$(node -e "console.log(require('./$plugin_dir/package.json').name)")
pkg_name=$(jq -r .name "$plugin_dir/package.json")
echo "::group::$pkg_name tests"
pnpm --filter "$pkg_name" exec vitest run --coverage.enabled --coverage.reporter=json || true
echo "::endgroup::"