Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: audit #383

Open
wants to merge 3 commits into
base: alpha
Choose a base branch
from
Open

ci: audit #383

wants to merge 3 commits into from

Conversation

shanexi
Copy link
Collaborator

@shanexi shanexi commented Mar 10, 2025

No description provided.

@vercel Vercel
Copy link

vercel bot commented Mar 10, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated (UTC)
shell-agent ✅ Ready (Inspect) Visit Preview Mar 10, 2025 4:32am

@shanexi
Copy link
Collaborator Author

shanexi commented Mar 10, 2025

安全审计报告

涉及代码

curl -X POST -H "Content-Type: text/plain" -H "X-PR-Number: $PR_NUMBER" -H "x-secret: ${{ secrets.X_SECRET}}" --data-binary @commit_diff.txt ${{ secrets.N8N_AUDIT_WEBHOOK_TEST }}

问题

命令注入漏洞:未经过滤的 $PR_NUMBER 变量直接用于 curl 命令中,攻击者可能通过恶意注入修改请求行为。

安全风险等级

高风险

修复建议

使用引号包围变量,并确保对 $PR_NUMBER 进行适当验证和转义:curl -X POST -H "Content-Type: text/plain" -H "X-PR-Number: \"${PR_NUMBER}\"" ...

@shanexi
Copy link
Collaborator Author

shanexi commented Mar 10, 2025

安全审计报告

发现问题 1

涉及代码

curl -X POST -H "Content-Type: text/plain" -H "X-PR-Number: $PR_NUMBER" -H "x-secret: ${{ secrets.X_SECRET}}" --data-binary @commit_diff.txt ${{ secrets.N8N_AUDIT_WEBHOOK }}

问题
命令注入漏洞 (Command Injection) - PR_NUMBER 变量未经验证直接用于命令行参数

安全风险等级

修复建议
对 PR_NUMBER 变量进行严格的验证,确保其只包含数字,例如:[[ "$PR_NUMBER" =~ ^[0-9]+$ ]] || { echo "Invalid PR number"; exit 1; },或使用引号包围变量以避免命令注入:-H "X-PR-Number: ${PR_NUMBER}"

@shanexi
Copy link
Collaborator Author

shanexi commented Mar 10, 2025

审计报告

涉及代码

curl -X POST -H "Content-Type: text/plain" -H "X-PR-Number: $PR_NUMBER" -H "x-secret: ${{ secrets.X_SECRET}}" --data-binary @commit_diff.txt ${{ secrets.N8N_AUDIT_WEBHOOK }}

问题

命令注入漏洞(Command Injection)- PR_NUMBER 变量未经充分验证就用于构建命令行参数。

安全风险等级

高风险

修复建议

对 PR_NUMBER 变量进行严格的输入验证和转义处理,确保它只包含预期格式的数字。可使用正则表达式验证(如 [[ $PR_NUMBER =~ ^[0-9]+$ ]])或使用 jq 等工具安全处理 GitHub 环境变量。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@shanexi