Fix multiple code scanning security issues#1373
Merged
brianmcgillion merged 3 commits intotiiuae:mainfrom Sep 9, 2025
Merged
Conversation
vunnyso
approved these changes
Sep 4, 2025
- Remove hardcoded GitHub client ID, make it configurable - Add input validation to shell scripts to prevent path traversal - Improve error handling in Python script to prevent info disclosure - Add URL validation to JavaScript extension to prevent XSS - Enhanced device validation in installer and flash scripts - Remove Python cache file and update .gitignore - Fix Python path validation to allow absolute paths and improve device/filename validation Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
9fde371 to
64b7df8
Compare
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses multiple security vulnerabilities identified by code scanning tools across the Ghaf framework. The changes focus on hardening input validation, preventing path traversal attacks, and improving error handling to prevent information disclosure.
Key changes include:
- Replacing hardcoded GitHub client ID with configurable option
- Adding comprehensive input validation to prevent path traversal in shell scripts and Python code
- Implementing URL validation in JavaScript extension to prevent XSS attacks
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/pkgs-by-name/open-normal-extension/open_normal.js | Added URL validation to prevent XSS attacks and improved error handling |
| packages/pkgs-by-name/ghaf-installer/ghaf-installer.sh | Enhanced device name validation with regex patterns to prevent path traversal |
| packages/pkgs-by-name/flash-script/flash.sh | Added input validation for device paths and filenames to prevent path traversal |
| modules/reference/hardware/jetpack/nvidia-jetson-orin/mk-esp-contents.py | Improved error handling to prevent info disclosure and added path validation |
| modules/common/services/github.nix | Made GitHub client ID configurable instead of hardcoded |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian McGillion <bmg.avoin@gmail.com>
Contributor
|
Verified test steps 1-2
Agreed with Brian to ignore steps 3-4, they don't work currently in main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of Changes
Type of Change
Related Issues / Tickets
Checklist
make-checksand it passesTesting Instructions
Applicable Targets
aarch64aarch64x86_64x86_64x86_64Installation Method
nixos-rebuild ... switchTest Steps To Verify: