fix(ci): prevent Node.js code injection in plugin directory name
Replace `node -e` with `jq` for reading plugin package names in the coverage workflow. The previous approach interpolated $plugin_dir directly into a JavaScript expression, which could allow code injection via crafted directory names. Closes #913 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
cfc87877a1
commit
23f4bd6bfe
|
|
@ -76,7 +76,7 @@ jobs:
|
|||
# Run coverage for each changed plugin
|
||||
for plugin_dir in $(echo "$CHANGED" | grep '^packages/plugins/' | cut -d/ -f1-3 | sort -u); do
|
||||
if [ -f "$plugin_dir/package.json" ]; then
|
||||
pkg_name=$(node -e "console.log(require('./$plugin_dir/package.json').name)")
|
||||
pkg_name=$(jq -r .name "$plugin_dir/package.json")
|
||||
echo "::group::$pkg_name tests"
|
||||
pnpm --filter "$pkg_name" exec vitest run --coverage.enabled --coverage.reporter=json || true
|
||||
echo "::endgroup::"
|
||||
|
|
|
|||
Loading…
Reference in New Issue