๐ Semgrep scan resultsย #1487
Description
Semgrep Scan Report
The following issues were found by Semgrep:
Full Log
โโโโโโโโโโโโโโโโโโโโ
โ 34 Code Findings โ
โโโโโโโโโโโโโโโโโโโโ
.github/workflow-templates/cargo-build/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
67โ run: |
68โ features_flags="${{ inputs.features }}|${{ env.RUSTFLAGS }}"
69โ echo "features_flags: $features_flags"
70โ key_hash=$(echo "$features_flags" | sha256sum | cut -d' ' -f1)
71โ commit_hash=$(git rev-parse HEAD)
72โ key="cargo-build-key-${key_hash}-${commit_hash}"
73โ echo "Computed cache key: $key"
74โ echo "key=$key" >> $GITHUB_OUTPUT
75โ
โฎโ----------------------------------------
86โ run: |
87โ params=" --locked --release"
88โ if [ -n "${{ inputs.features }}" ]; then
89โ params="$params --features ${{ inputs.features }}"
90โ fi
91โ echo "cargo build $params"
92โ cargo build $params
93โ
.github/workflow-templates/copy-parachain-node-binaries/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
17โ run: |
18โ mkdir -p binaries
19โ suffix=""
20โ if [ "${{ inputs.cpu }}" != "" ]; then
21โ suffix="-${{ inputs.cpu }}"
22โ fi
23โ
24โ cp target/${{ inputs.profile }}/tanssi-node binaries/tanssi-node$suffix
25โ cp target/${{ inputs.profile }}/container-chain-frontier-node binaries/container-chain-
frontier-node$suffix
26โ cp target/${{ inputs.profile }}/container-chain-simple-node binaries/container-chain-
simple-node$suffix
.github/workflow-templates/copy-relaychain-node-binaries/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
17โ run: |
18โ mkdir -p binaries
19โ suffix=""
20โ if [ "${{ inputs.cpu }}" != "" ]; then
21โ suffix="-${{ inputs.cpu }}"
22โ fi
23โ
24โ cp target/${{ inputs.profile }}/tanssi-relay binaries/tanssi-relay$suffix
25โ cp target/${{ inputs.profile }}/tanssi-relay-execute-worker binaries/tanssi-relay-
execute-worker$suffix
26โ cp target/${{ inputs.profile }}/tanssi-relay-prepare-worker binaries/tanssi-relay-
prepare-worker$suffix
.github/workflow-templates/publish-node-docker/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
16โ run: |
17โ DOCKER_IMAGE=moondancelabs/${{ inputs.image }}
18โ VERSION="${{ inputs.tag }}"
19โ CLEAN_VERSION="${VERSION%%-*}"
20โ COMMIT=`git rev-list -n 1 '${{ inputs.tag }}'`
21โ SHA=sha-${COMMIT::8}
22โ echo using "${DOCKER_IMAGE}:${SHA} as base image"
23โ
24โ echo building "${DOCKER_IMAGE}:${CLEAN_VERSION}"
25โ docker build \
[hid 27 additional lines, adjust with --max-lines-per-finding]
.github/workflow-templates/publish-runtime-docker/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
16โ run: |
17โ DOCKER_IMAGE=moondancelabs/${{ inputs.image }}
18โ DOCKER_TAG="${{ inputs.tag }}"
19โ COMMIT=`git rev-list -n 1 '${{ inputs.tag }}'`
20โ SHA=sha-${COMMIT::8}
21โ echo tagging "${DOCKER_IMAGE}:${SHA}"
22โ docker pull "${DOCKER_IMAGE}:${SHA}"
23โ docker tag "${DOCKER_IMAGE}:${SHA}" "${DOCKER_IMAGE}:${DOCKER_TAG}"
24โ docker push "${DOCKER_IMAGE}:${DOCKER_TAG}"
.github/workflow-templates/typescript-tests-moonwall/action.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
40โ run: |
41โ cd ./test
42โ pnpm moonwall test ${{ inputs.moonwall-environment }} || [[ '${{ inputs.force-pass }}' ==
'true' ]]
.github/workflows/bump-runtime-versions.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
25โ run: |
26โ if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
27โ echo "branch=${{ github.event.inputs.branch }}" >> $GITHUB_OUTPUT
28โ else
29โ echo "branch=master" >> $GITHUB_OUTPUT
30โ fi
31โ
.github/workflows/client-release-issue.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
48โ run: |
49โ npm i
50โ npm run --silent print-client-release-issue -- --chainType ${{
github.event.inputs.binary-type }} --from ${{ github.event.inputs.from }} --to ${{
github.event.inputs.to }} | tee ../client-release-issue.md
.github/workflows/docker-runtime-draft.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
36โ run: |
37โ if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
38โ echo "git_ref=${{ github.event.inputs.branch }}" >> $GITHUB_OUTPUT
39โ echo "git_branch=${{ github.event.inputs.branch }}" >> $GITHUB_OUTPUT
40โ else
41โ echo "git_ref=${{ github.event.inputs.to }}" >> $GITHUB_OUTPUT
42โ echo "git_branch=$(echo ${GITHUB_REF##*/})" >> $GITHUB_OUTPUT
43โ echo ${GITHUB_REF##*/}
44โ fi
.github/workflows/publish-binary-from-docker.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
37โ run: |
38โ ./test/scripts/download-latest-rt-binaries.sh ${{ github.event.inputs.binaries }}
--include-all-archs --tag ${{ github.event.inputs.docker_tag }}
.github/workflows/publish-binary-tanssi-solochain.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
86โ run: |
87โ yarn
88โ yarn -s run ts-node github/generate-release-body.ts --owner "${{ github.repository_owner
}}" --repo "$(basename ${{ github.repository }})" --from ${{ github.event.inputs.from }}
--to ${{ github.event.inputs.to }} --srtool-report-folder '../build/' > ../body.md
.github/workflows/publish-binary.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
87โ run: |
88โ yarn
89โ yarn -s run ts-node github/generate-release-body.ts --owner "${{ github.repository_owner
}}" --repo "$(basename ${{ github.repository }})" --from ${{ github.event.inputs.from }}
--to ${{ github.event.inputs.to }} --srtool-report-folder '../build/' > ../body.md
.github/workflows/publish-docker-tanssi-solochain.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
32โ run: |
33โ mkdir -p build
34โ VERSION="${{ github.event.inputs.tag }}"
35โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}" -O build/${{
matrix.image.file_name }}
36โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-execute-worker" -O
build/${{ matrix.image.file_name }}-execute-worker
37โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-prepare-worker" -O
build/${{ matrix.image.file_name }}-prepare-worker
38โ
39โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-skylake" -O build/${{
matrix.image.file_name }}-skylake
40โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-execute-worker-skylake"
-O build/${{ matrix.image.file_name }}-execute-worker-skylake
41โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-prepare-worker-skylake"
-O build/${{ matrix.image.file_name }}-prepare-worker-skylake
[hid 5 additional lines, adjust with --max-lines-per-finding]
.github/workflows/publish-docker.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
34โ run: |
35โ mkdir -p build
36โ VERSION="${{ github.event.inputs.tag }}"
37โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}" -O build/${{
matrix.image.file_name }}
38โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-skylake" -O build/${{
matrix.image.file_name }}-skylake
39โ wget "${{ env.BASE_URL }}/$VERSION/${{ matrix.image.file_name }}-znver3" -O build/${{
matrix.image.file_name }}-znver3
40โ
.github/workflows/publish-runtime.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
67โ run: |
68โ dancebox='{"runtime_name": "dancebox","runtime_path" : "./chains/orchestrator-
paras/runtime/dancebox/src/lib.rs", "build_features": "metadata-hash"}'
69โ flashbox='{"runtime_name": "flashbox","runtime_path" : "./chains/orchestrator-
paras/runtime/flashbox/src/lib.rs", "build_features": "metadata-hash"}'
70โ frontier_template='{"runtime_name": "frontier-template","runtime_path" :
"./chains/container-chains/runtime-templates/frontier/src/lib.rs", "build_features":
"metadata-hash"}'
71โ simple_template='{"runtime_name": "simple-template","runtime_path" : "./chains/container-
chains/runtime-templates/simple/src/lib.rs", "build_features": "metadata-hash"}'
72โ dancelight='{"runtime_name": "dancelight","runtime_path" : "./chains/orchestrator-
relays/runtime/dancelight/src/lib.rs", "build_features": "on-chain-release-build"}'
73โ starlight='{"runtime_name": "starlight","runtime_path" : "./chains/orchestrator-
relays/runtime/starlight/src/lib.rs", "build_features": "on-chain-release-build"}'
74โ
75โ if [[ ${{ github.event.inputs.chains }} = "orchestrator-para-only" ]]; then
76โ echo "matrix_tests=[$dancebox, $flashbox]" >> $GITHUB_OUTPUT
[hid 19 additional lines, adjust with --max-lines-per-finding]
207โ run: |
208โ RUNTIMES=$(echo '${{needs.matrix_prep.outputs.matrix_tests}}' | jq -r '.[] |
.runtime_name + " "')
209โ yarn
210โ yarn -s run ts-node github/generate-runtimes-body.ts --owner "${{ github.repository_owner
}}" --repo "$(basename ${{ github.repository }})" --from "${{ github.event.inputs.from }}"
--to "${{ github.event.inputs.to }}" --srtool-report-folder '../build/' --runtimes
$RUNTIMES > ../body.md - name: Get runtime version
โฎโ----------------------------------------
213โ run: |
214โ version="$(echo ${{ github.event.inputs.to }} | grep -o '[0-9]*')"
215โ name="$(echo ${{ github.event.inputs.chains }} | sed -e 's/\(-only\)*$//g')"
216โ title="$name $version"
217โ echo "title=$title" >> $GITHUB_OUTPUT
.github/workflows/release.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
31โ run: |
32โ if [[ -n "${{ github.event.pull_request.head.sha }}" ]]; then
33โ echo "git_branch=$(echo ${GITHUB_HEAD_REF})" >> $GITHUB_OUTPUT
34โ echo "git_ref=${{ github.event.pull_request.head.sha }}" >> $GITHUB_OUTPUT
35โ elif [[ -n "${{ github.event.inputs.pull_request }}" ]]; then
36โ echo "git_branch=$(echo ${GITHUB_HEAD_REF})" >> $GITHUB_OUTPUT
37โ echo "git_ref=refs/pull/${{ github.event.inputs.pull_request }}/head" >>
$GITHUB_OUTPUT
38โ else
39โ echo "git_branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
40โ echo "git_ref=$GITHUB_REF" >> $GITHUB_OUTPUT
[hid 1 additional lines, adjust with --max-lines-per-finding]
.github/workflows/run-zombienet-tests.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
63โ run: |
64โ foundation_type="${{ github.event.inputs.foundation_type || 'zombie' }}"
65โ test_name="${{ github.event.inputs.test_name || '' }}"
66โ test_bundle="${{ github.event.inputs.test_bundle || 'weekly_bundle' }}"
67โ
68โ echo "Input test_name: $test_name"
69โ echo "Input bundle: $test_bundle"
70โ
71โ if [ -z "$test_name" ]; then
72โ if [ "$test_bundle" == "weekly_bundle" ]; then
[hid 23 additional lines, adjust with --max-lines-per-finding]
.github/workflows/runtime-release-issue.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
45โ run: |
46โ npm i
47โ npm run --silent print-runtime-release-issue -- --from ${{ github.event.inputs.from }}
--to ${{ github.event.inputs.to }} --client ${{ github.event.inputs.client }} | tee
../runtime-release-issue.md
.github/workflows/test-all-benchmarks-schedule.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
26โ run: |
27โ if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
28โ echo "branch=${{ github.event.inputs.branch }}" >> $GITHUB_OUTPUT
29โ else
30โ echo "branch=master" >> $GITHUB_OUTPUT
31โ fi
32โ
.github/workflows/upgrade-typescript-api.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
44โ run: |
45โ COMMIT=`git rev-list -n 1 'runtime-${{ github.event.inputs.spec_version }}'`
46โ echo "FINISHED"
47โ SHA=sha-${COMMIT::8}
48โ DOCKER_TAG="moondancelabs/tanssi:$SHA"
49โ
50โ # Clear the dummy container if it wasn't properly cleaned up
51โ docker rm -f dummy 2> /dev/null
52โ docker create -ti --name dummy $DOCKER_TAG bash
53โ mkdir -p target/release
[hid 3 additional lines, adjust with --max-lines-per-finding]
70โ run: |
71โ cd typescript-api
72โ pnpm version --no-git-tag-version 0.${{ github.event.inputs.spec_version }}.0
.github/workflows/version-bump.yml
โฏโฏโฑ yaml.github-actions.security.run-shell-injection.run-shell-injection
Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an
attacker to inject their own code into the runner. This would allow them to steal secrets and code.
`github` context data can have arbitrary user input and should be treated as untrusted. Instead, use
an intermediate environment variable with `env:` to store the data and use the environment variable
in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Details: https://sg.run/pkzk
25โ run: |
26โ cd tools
27โ yarn install
28โ yarn --silent run print-version-bump-info -- --from ${{ github.event.inputs.from }} --to
${{ github.event.inputs.to }} | tee ../version-bump.md
client/service-container-chain-spawner/src/spawner.rs
โฏโฏโฑ rust.actix.path-traversal.tainted-path.tainted-path
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
1282โ let entry_iter = std::fs::read_dir(&paritydb_path)?;
client/service-orchestrator-chain/src/solochain.rs
โฏโฏโฑ rust.actix.path-traversal.tainted-path.tainted-path
The application builds a file path from potentially untrusted data, which can lead to a path
traversal vulnerability. An attacker can manipulate the path which the application uses to access
files. If the application does not validate user input and sanitize file paths, sensitive files such
as configuration or user data can be accessed, potentially creating or overwriting files. To prevent
this vulnerability, validate and sanitize any input that is used to create references to file paths.
Also, enforce strict file access controls. For example, choose privileges allowing public-facing
applications to access only the required files.
Details: https://sg.run/YWX5
693โ for entry in fs::read_dir(src)? {
tools/github/generate-runtimes-body.ts
โฏโฏโฑ javascript.lang.security.detect-child-process.detect-child-process
Detected calls to child_process from a function argument `runtimeName`. This could lead to a command
injection if the input is user controllable. Try to avoid calls to child_process, and if it is
needed ensure user input is correctly sanitized or sandboxed.
Details: https://sg.run/l2lo
21โ `cat ../chains/container-chains/runtime-
templates/${runtimeName.split("-template")[0]}/src/lib.rs | grep 'spec_version: [0-9]*' |
tail -1`
โฎโ----------------------------------------
33โ `cat ../chains/orchestrator-relays/runtime/${runtimeName}/src/lib.rs | grep 'spec_version:
[0-9]*' | tail -1`
โฎโ----------------------------------------
45โ `cat ../chains/orchestrator-paras/runtime/${runtimeName}/src/lib.rs | grep 'spec_version:
[0-9]*' | tail -1`
tools/github/github-utils.ts
โฏโฏโฑ javascript.lang.security.detect-child-process.detect-child-process
Detected calls to child_process from a function argument `packageName`. This could lead to a command
injection if the input is user controllable. Try to avoid calls to child_process, and if it is
needed ensure user input is correctly sanitized or sandboxed.
Details: https://sg.run/l2lo
10โ `git show ${previousTag}:../Cargo.lock | grep ${packageName}? | head -1 | grep -o '".*"'`
โฎโ----------------------------------------
โฏโฏโฑ javascript.lang.security.detect-child-process.detect-child-process
Detected calls to child_process from a function argument `previousTag`. This could lead to a command
injection if the input is user controllable. Try to avoid calls to child_process, and if it is
needed ensure user input is correctly sanitized or sandboxed.
Details: https://sg.run/l2lo
10โ `git show ${previousTag}:../Cargo.lock | grep ${packageName}? | head -1 | grep -o '".*"'`
โฎโ----------------------------------------
โฏโฏโฑ javascript.lang.security.detect-child-process.detect-child-process
Detected calls to child_process from a function argument `newTag`. This could lead to a command
injection if the input is user controllable. Try to avoid calls to child_process, and if it is
needed ensure user input is correctly sanitized or sandboxed.
Details: https://sg.run/l2lo
16โ `git show ${newTag}:../Cargo.lock | grep ${packageName}? | head -1 | grep -o '".*"'`
โฎโ----------------------------------------
โฏโฏโฑ javascript.lang.security.detect-child-process.detect-child-process
Detected calls to child_process from a function argument `packageName`. This could lead to a command
injection if the input is user controllable. Try to avoid calls to child_process, and if it is
needed ensure user input is correctly sanitized or sandboxed.
Details: https://sg.run/l2lo
16โ `git show ${newTag}:../Cargo.lock | grep ${packageName}? | head -1 | grep -o '".*"'`Metadata
Metadata
Assignees
Labels
No labels