Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CallCommand #1015

Closed
wants to merge 6 commits into from
Closed

Add CallCommand #1015

wants to merge 6 commits into from

Conversation

CTY-git
Copy link
Contributor

@CTY-git CTY-git commented Nov 12, 2024

PR Checklist

  • The commit message follows our guidelines: Code of conduct
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)
  • Does this PR introduce a breaking change?
  • Include PR in release notes?

PR Type

  • Bugfix
  • Feature
  • Refactoring
  • Build /CI
  • Documentation
  • Others

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Other information

@CTY-git CTY-git requested a review from jonahdc November 12, 2024 05:06
@patched-codes patched-codes bot deleted a comment from patched-admin Nov 13, 2024
@patched-codes patched.codes
Copy link

patched-codes bot commented Dec 10, 2024

File Changed: patchwork/steps/CallCommand/CallCommand.py

Details: Potential security vulnerability detected in the use of subprocess.run() without explicitly setting shell=False. While the default is False, it's a good practice to explicitly set it for clarity and to prevent future changes from introducing vulnerabilities.

Affected Code Snippet:

p = subprocess.run(cmd, capture_output=True, text=True, cwd=self.working_dir, env=self.env)

Start Line: 51

End Line: 51

File Changed: patchwork/steps/CallCommand/typed.py

Details: Potential security vulnerability introduced in the CallCommandInputs class. The command and command_args fields could be used to execute arbitrary commands, which might lead to command injection if not properly sanitized.

Affected Code Snippet:

class __RequiredCallCommandInputs(TypedDict):
    command: str

class CallCommandInputs(__RequiredCallCommandInputs, total=False):
    command_args: str
    working_dir: Annotated[str, StepTypeConfig(is_path=True)]
    env: str

Start Line: 6

End Line: 11

File Changed: patchwork/steps/ScanPSFuzz/ScanPSFuzz.py

Details: There is a potential security vulnerability in the code. The OpenAI API key is being passed as an environment variable in plain text, which could be exposed if the process information is accessed by unauthorized parties.

Affected Code Snippet:

wrapped_input = dict(
    command="prompt-security-fuzzer",
    command_args=f'-b {inputs["prompt_file_path"]}',
    env=f'OPENAI_API_KEY={inputs["openai_api_key"]}'
)

Start Line: 22

End Line: 26

File Changed: patchwork/steps/ScanPSFuzz/typed.py

Details: Potential security vulnerability detected. The openai_api_key is defined as a string without any apparent encryption or secure handling.

Affected Code Snippet:

class __RequiredScanPSFuzzInputs(TypedDict):
    prompt_file_path:  Annotated[str, StepTypeConfig(is_path=True)]
    openai_api_key: Annotated[str, StepTypeConfig(is_config=True)]

Start Line: 6

End Line: 8

@CTY-git
Copy link
Contributor Author

CTY-git commented Jan 23, 2025

Done with #1181 instead.

@CTY-git CTY-git closed this Jan 23, 2025
@CTY-git CTY-git deleted the add-call-command branch January 23, 2025 02:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonahdc jonahdc Awaiting requested review from jonahdc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@CTY-git