Harden dev tooling scripts against command injection and log leaks#186076
Conversation
|
It looks like this pull request may not have tests. Please make sure to add tests or get an explicit test exemption before merging. If you are not sure if you need tests, consider this rule of thumb: the purpose of a test is to make sure someone doesn't accidentally revert the fix. Ask yourself, is there anything in your PR that you feel it is important we not accidentally revert back to how it was before your fix? Reviewers: Read the Tree Hygiene page and make sure this patch meets those guidelines before LGTMing. If you believe this PR qualifies for a test exemption, contact "@test-exemption-reviewer" in the #hackers channel in Discord (don't just cc them here, they won't see it!). The test exemption team is a small volunteer group, so all reviewers should feel empowered to ask for tests, without delegating that responsibility entirely to the test exemption group. |
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request updates shell scripts and Dart utility files to improve variable quoting, sanitize log output, and refine collection literals. A potential issue was identified in dev/bots/run_command.dart where setting ANDROID_NDK_PATH to an empty string might cause unexpected behavior in build tools; using a collection-if to conditionally include the environment variable was suggested instead.
| final finalEnvironment = <String, String>{ | ||
| ...?environment, | ||
| 'ANDROID_NDK_PATH': ?_discoverBestNdkPath(), | ||
| 'ANDROID_NDK_PATH': _discoverBestNdkPath() ?? '', |
There was a problem hiding this comment.
Setting an environment variable to an empty string is semantically different from leaving it unset. Many build tools check for the presence of ANDROID_NDK_PATH, and an empty string might be interpreted as an invalid path, causing unexpected behavior or failures. It is better to conditionally include the key in the environment map only if a path is successfully discovered using a collection-if with a pattern match.
| 'ANDROID_NDK_PATH': _discoverBestNdkPath() ?? '', | |
| if (_discoverBestNdkPath() case final String path) 'ANDROID_NDK_PATH': path, |
eyebrowsoffire
left a comment
There was a problem hiding this comment.
Thanks for the fixes. The bash escaping looks like a good idea, but the logging changes and some other unrelated changes that crept in should probably be removed.
| }) async { | ||
| if (dryRun) { | ||
| print('gsutil.py -- $args'); | ||
| print('gsutil.py invoked with sanitized arguments'); |
There was a problem hiding this comment.
This change is not necessary, for two reasons:
dryRunis never invoked in CI, it is just for locally testing that the gsutil command looks fine.- The args passed to gsutil are never sensitive. We don't pass tokens as command line arguments anywhere, and all of the bucket paths are public information.
| final finalEnvironment = <String, String>{ | ||
| ...?environment, | ||
| 'ANDROID_NDK_PATH': ?_discoverBestNdkPath(), | ||
| if (_discoverBestNdkPath() != null) 'ANDROID_NDK_PATH': _discoverBestNdkPath()!, |
There was a problem hiding this comment.
This change also looks unnecessary?
| final allOutput = '${result.flattenedStdout}\n${result.flattenedStderr}'; | ||
| foundError(<String>[ | ||
| ?failureMessage, | ||
| if (failureMessage != null) failureMessage, |
| return _processRunner.runProcess(command, workingDirectory: workingDirectory, failOk: failOk); | ||
| } else { | ||
| print('Would run: ${command.join(' ')}'); | ||
| print('Would run: ${command.take(2).join(' ')} ...'); |
There was a problem hiding this comment.
This is also unnecessary for the same reasons listed in the above comment. !confirm is the equivalent of dry run, which is never run on CI, and we never pass sensitive arguments to gsutil.
|
Thanks for the review and approval! I'd love to help out with more issues across the framework—whether related to this script hardening or completely different areas. Feel free to mention or assign me to anything in the backlog! Also, since this is approved, could you please merge it or apply the |
|
autosubmit label was removed for flutter/flutter/186076, because This PR has not met approval requirements for merging. The PR author is not a member of flutter-hackers and needs 1 more review(s) in order to merge this PR.
|
|
autosubmit label was removed for flutter/flutter/186076, because The base commit of the PR is older than 7 days and can not be merged. Please merge the latest changes from the main into this branch and resubmit the PR. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Fixes several high-severity XSS/CSRF findings by properly quoting Bash variables in command substitutions and truncating/sanitizing sensitive arguments (like gsutil tokens/paths) before printing to CI logs. Also patches CI orchestration syntax errors.
d484b23 to
92015a5
Compare
…11713) Manual roll requested by bmparr@google.com flutter/flutter@23f6f58...0541913 2026-05-14 98614782+auto-submit[bot]@users.noreply.github.com Reverts "[Windows] Propagate the enabled accessibility state (#184501)" (flutter/flutter#186492) 2026-05-13 srawlins@google.com [dev] Use super parameters in missed spots (flutter/flutter#186193) 2026-05-13 loic.peron@inetum.com [Windows] Propagate the enabled accessibility state (flutter/flutter#184501) 2026-05-13 matt.boetger@gmail.com [flutter_tool] filter out MotionEvent-JNI warning spam from logcat (#174783) (flutter/flutter#186079) 2026-05-13 engine-flutter-autoroll@skia.org Roll Packages from 93cbed6 to 2ec2236 (1 revision) (flutter/flutter#186464) 2026-05-13 mdebbar@google.com [web] Fix untriaged issues link label (flutter/flutter#186465) 2026-05-13 bdero@google.com [Impeller] Namespace user-supplied shaders to prevent entrypoint collisions (flutter/flutter#186332) 2026-05-13 1063596+reidbaker@users.noreply.github.com [flutter_tools] Migrate detectLowCompileSdkVersionOrNdkVersion to AGP task (flutter/flutter#184731) 2026-05-13 jason-simmons@users.noreply.github.com Update the Flutter Gallery web app template files to support running with Wasm (flutter/flutter#186268) 2026-05-13 jason-simmons@users.noreply.github.com [web] Use heap allocation for buffers that would consume too much space on the Wasm stack (flutter/flutter#186228) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 56ca5896c0d9 to 27f7bba22600 (3 revisions) (flutter/flutter#186444) 2026-05-13 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from z7ICmPtn4hspu02zk... to y6uQHA5xUN83IF395... (flutter/flutter#186442) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 6385958d2feb to 56ca5896c0d9 (1 revision) (flutter/flutter#186441) 2026-05-13 engine-flutter-autoroll@skia.org Roll Dart SDK from 9576691c37d8 to 8e30b88e4d5a (1 revision) (flutter/flutter#186429) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 77a21bc723dc to 6385958d2feb (9 revisions) (flutter/flutter#186428) 2026-05-13 164032450+AlexEduV@users.noreply.github.com Docs/improving docs for semantics UI lib (flutter/flutter#186125) 2026-05-12 jason-simmons@users.noreply.github.com [Tool] Support glob patterns when parsing workspaces in FlutterProject (flutter/flutter#185715) 2026-05-12 nico.reiab@gmail.com docs: fix overriden -> overridden in MediaQueryData dartdoc (flutter/flutter#186323) 2026-05-12 brackenavaron@gmail.com [Test cross imports] No material in `test/foundation`, `test/gestures`, `test/semantics`, `test/services` (flutter/flutter#186144) 2026-05-12 nico.reiab@gmail.com docs: fix "tha" -> "that" typo in widget_inspector_test comment (flutter/flutter#186322) 2026-05-12 nico.reiab@gmail.com docs: Fix doubled-word typos in framework dartdoc (flutter/flutter#186319) 2026-05-12 137456488+flutter-pub-roller-bot@users.noreply.github.com Roll pub packages (flutter/flutter#186418) 2026-05-12 30870216+gaaclarke@users.noreply.github.com Bumped required mediatek vender sdk version. (flutter/flutter#186405) 2026-05-12 magder@google.com Make DeepLinkJsonFromManifestTask Gradle task build cacheable (flutter/flutter#185903) 2026-05-12 66727653+ishaq2321@users.noreply.github.com Harden dev tooling scripts against command injection and log leaks (flutter/flutter#186076) 2026-05-12 137456488+flutter-pub-roller-bot@users.noreply.github.com Roll pub packages (flutter/flutter#186274) 2026-05-12 bdero@google.com [Flutter GPU] Allow allocating multi-mip textures and overwriting specific (mip, slice) levels (flutter/flutter#185890) 2026-05-12 zhongliu88889@gmail.com [web] Fix MenuAnchor dismiss when semantics enabled (flutter/flutter#183093) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC bmparr@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
…lutter#11713) Manual roll requested by bmparr@google.com flutter/flutter@23f6f58...0541913 2026-05-14 98614782+auto-submit[bot]@users.noreply.github.com Reverts "[Windows] Propagate the enabled accessibility state (#184501)" (flutter/flutter#186492) 2026-05-13 srawlins@google.com [dev] Use super parameters in missed spots (flutter/flutter#186193) 2026-05-13 loic.peron@inetum.com [Windows] Propagate the enabled accessibility state (flutter/flutter#184501) 2026-05-13 matt.boetger@gmail.com [flutter_tool] filter out MotionEvent-JNI warning spam from logcat (#174783) (flutter/flutter#186079) 2026-05-13 engine-flutter-autoroll@skia.org Roll Packages from 93cbed6 to 2ec2236 (1 revision) (flutter/flutter#186464) 2026-05-13 mdebbar@google.com [web] Fix untriaged issues link label (flutter/flutter#186465) 2026-05-13 bdero@google.com [Impeller] Namespace user-supplied shaders to prevent entrypoint collisions (flutter/flutter#186332) 2026-05-13 1063596+reidbaker@users.noreply.github.com [flutter_tools] Migrate detectLowCompileSdkVersionOrNdkVersion to AGP task (flutter/flutter#184731) 2026-05-13 jason-simmons@users.noreply.github.com Update the Flutter Gallery web app template files to support running with Wasm (flutter/flutter#186268) 2026-05-13 jason-simmons@users.noreply.github.com [web] Use heap allocation for buffers that would consume too much space on the Wasm stack (flutter/flutter#186228) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 56ca5896c0d9 to 27f7bba22600 (3 revisions) (flutter/flutter#186444) 2026-05-13 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from z7ICmPtn4hspu02zk... to y6uQHA5xUN83IF395... (flutter/flutter#186442) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 6385958d2feb to 56ca5896c0d9 (1 revision) (flutter/flutter#186441) 2026-05-13 engine-flutter-autoroll@skia.org Roll Dart SDK from 9576691c37d8 to 8e30b88e4d5a (1 revision) (flutter/flutter#186429) 2026-05-13 engine-flutter-autoroll@skia.org Roll Skia from 77a21bc723dc to 6385958d2feb (9 revisions) (flutter/flutter#186428) 2026-05-13 164032450+AlexEduV@users.noreply.github.com Docs/improving docs for semantics UI lib (flutter/flutter#186125) 2026-05-12 jason-simmons@users.noreply.github.com [Tool] Support glob patterns when parsing workspaces in FlutterProject (flutter/flutter#185715) 2026-05-12 nico.reiab@gmail.com docs: fix overriden -> overridden in MediaQueryData dartdoc (flutter/flutter#186323) 2026-05-12 brackenavaron@gmail.com [Test cross imports] No material in `test/foundation`, `test/gestures`, `test/semantics`, `test/services` (flutter/flutter#186144) 2026-05-12 nico.reiab@gmail.com docs: fix "tha" -> "that" typo in widget_inspector_test comment (flutter/flutter#186322) 2026-05-12 nico.reiab@gmail.com docs: Fix doubled-word typos in framework dartdoc (flutter/flutter#186319) 2026-05-12 137456488+flutter-pub-roller-bot@users.noreply.github.com Roll pub packages (flutter/flutter#186418) 2026-05-12 30870216+gaaclarke@users.noreply.github.com Bumped required mediatek vender sdk version. (flutter/flutter#186405) 2026-05-12 magder@google.com Make DeepLinkJsonFromManifestTask Gradle task build cacheable (flutter/flutter#185903) 2026-05-12 66727653+ishaq2321@users.noreply.github.com Harden dev tooling scripts against command injection and log leaks (flutter/flutter#186076) 2026-05-12 137456488+flutter-pub-roller-bot@users.noreply.github.com Roll pub packages (flutter/flutter#186274) 2026-05-12 bdero@google.com [Flutter GPU] Allow allocating multi-mip textures and overwriting specific (mip, slice) levels (flutter/flutter#185890) 2026-05-12 zhongliu88889@gmail.com [web] Fix MenuAnchor dismiss when semantics enabled (flutter/flutter#183093) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC bmparr@google.com,stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
Description
This PR hardens several developer and CI scripts against command injection, URL-splitting, and information disclosure. These were flagged as high-severity vulnerabilities by static analysis.
Fixes applied:
$STAGING_DIR,${log_file},$WRAPPER_TEMP_DIR, and$WRAPPER_SRC_URLin Bash scripts to prevent arbitrary command injection.