Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsafe shell command constructed from library input in AutomationEnvironment.ts #14242

Open
jonthysell opened this issue Jan 6, 2025 · 0 comments
Open

Unsafe shell command constructed from library input in AutomationEnvironment.ts #14242

jonthysell opened this issue Jan 6, 2025 · 0 comments
Assignees
@jonthysell
Labels
Area: Compliance bug security Pull requests that address a security vulnerability Workstream: ES Compliance SFI Provide regular ES infrastructure and ensure RNW meets internal security and compliance requirements
Milestone
Next

Comments

@jonthysell
Copy link
Contributor

Problem Description

CodeQL caught that we're using shell commands from JS to get info about an appx and then launch it for unit tests.

packages/@react-native-windows/automation/src/AutomationEnvironment.ts : 202

packages/@react-native-windows/automation/src/AutomationEnvironment.ts : 327

Steps To Reproduce

See CodeQL alert.

Expected Results

No response

CLI version

npx @react-native-community/cli -v

Environment

npx @react-native-community/cli info

Community Modules

No response

Target Platform Version

None

Target Device(s)

No response

Visual Studio Version

None

Build Configuration

None

Snack, code example, screenshot, or link to a repository

No response
@jonthysell jonthysell added Area: Compliance bug security Pull requests that address a security vulnerability Workstream: ES Compliance SFI Provide regular ES infrastructure and ensure RNW meets internal security and compliance requirements labels Jan 6, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Triage 🔍 New issue that needs to be reviewed by the issue management team (label applied by bot) label Jan 6, 2025
@jonthysell jonthysell removed the Needs: Triage 🔍 New issue that needs to be reviewed by the issue management team (label applied by bot) label Jan 9, 2025
@jonthysell jonthysell added this to the Next milestone Jan 9, 2025
@jonthysell jonthysell self-assigned this Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonthysell jonthysell

Labels
Area: Compliance bug security Pull requests that address a security vulnerability Workstream: ES Compliance SFI Provide regular ES infrastructure and ensure RNW meets internal security and compliance requirements
Projects
None yet
Milestone
Next
Development

No branches or pull requests
1 participant
@jonthysell