Fix/CWE 78 os command injection editor#36270
Conversation
Create security-scan.yml
- Add SHELL_METACHARACTERS_RE to reject paths and editor binaries containing shell operators (&, |, ;, etc.) before they reach cmd.exe /C on Windows, preventing OS command injection. - Parse VISUAL/EDITOR env vars through shell-quote parse() consistent with how REACT_EDITOR is already handled, neutralising metacharacters in those values before they are used as the spawned editor binary. - Validate maybeRelativePath in getValidFilePath (line 116 entry point) so injected paths are rejected before reaching launchEditor. Resolves: CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
|
Hi @novanynx! Thank you for your pull request and welcome to our community. Action RequiredIn order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks! |
2 participants
Summary
How did you test this change?