From 23f4bd6bfea58b57c26aa2b5fa466e652b29f46b Mon Sep 17 00:00:00 2001 From: fireddd Date: Fri, 10 Apr 2026 02:08:01 +0530 Subject: [PATCH] fix(ci): prevent Node.js code injection in plugin directory name Replace `node -e` with `jq` for reading plugin package names in the coverage workflow. The previous approach interpolated $plugin_dir directly into a JavaScript expression, which could allow code injection via crafted directory names. Closes #913 Co-Authored-By: Claude Opus 4.6 --- .github/workflows/coverage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 978173c07..83a822722 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -76,7 +76,7 @@ jobs: # Run coverage for each changed plugin for plugin_dir in $(echo "$CHANGED" | grep '^packages/plugins/' | cut -d/ -f1-3 | sort -u); do if [ -f "$plugin_dir/package.json" ]; then - pkg_name=$(node -e "console.log(require('./$plugin_dir/package.json').name)") + pkg_name=$(jq -r .name "$plugin_dir/package.json") echo "::group::$pkg_name tests" pnpm --filter "$pkg_name" exec vitest run --coverage.enabled --coverage.reporter=json || true echo "::endgroup::"