[Auto release] release 1.3.1 #170

github-actions · 2024-12-03T08:55:49Z

No description provided.

.github/workflows/pr-check.yml

+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [20.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: './common/config/rush/pnpm-lock.yaml'
+
+      - uses: xile611/pr-type-check@main
+        with:
+          pull_request_body: |
+            ${{ github.event.pull_request.body }}
+          pull_request_head: ${{ github.event.pull_request.head.ref }}


.github/workflows/pr-check.yml

+          cache: 'npm'
+          cache-dependency-path: './common/config/rush/pnpm-lock.yaml'
+
+      - uses: xile611/pr-type-check@main


.github/workflows/pre-release.yml

+
+      - name: Parse semver version from branch name
+        id: semver_parser
+        uses: xile611/read-package-version-action@main


.github/workflows/pre-release.yml

+
+      - name: Get npm version
+        id: package-version
+        uses: xile611/read-package-version-action@main


.github/workflows/pre-release.yml

+          path: packages/vmind
+
+      - name: Commit & Push changes
+        uses: actions-js/push@master


.github/workflows/release.yml

+
+      - name: Create Release for Tag
+        id: release_tag
+        uses: ncipollo/[email protected]


.github/workflows/release.yml

+          draft: true #
+
+      - name: Create Pull Request
+        uses: dustinirving/[email protected]


.github/workflows/sync-main-to-develop.yml

+
+      - name: Get version
+        id: package-version
+        uses: xile611/read-package-version-action@main


.github/workflows/sync-main-to-develop.yml

+          git push origin sync/main-${{ steps.package-version.outputs.current_version }}
+
+      - name: Create Pull Request
+        uses: dustinirving/[email protected]


.github/workflows/unit-test.yml

+    runs-on: macOS-12
+
+    strategy:
+      matrix:
+        node-version: [18.x]
+        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: './common/config/rush/pnpm-lock.yaml'
+
+        # Install rush
+      - name: Install rush
+        run: node common/scripts/install-run-rush.js install --bypass-policy
+
+      - name: Compile
+        run: node common/scripts/install-run-rush.js compile --only tag:package
+      - name: Test
+        run: node common/scripts/install-run-rush.js test --only tag:package


common/autoinstallers/lint/change-all.ts

+    const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
+      stdio: 'inherit'
+    });


To fix the problem, we should avoid constructing the shell command as a single string that the shell interprets. Instead, we should use the execFileSync or spawnSync functions with an array of arguments to pass the dynamic parts separately. This prevents the shell from misinterpreting special characters or spaces in the paths or message.

Replace the spawnSync call on line 34 with a call to execFileSync or spawnSync that passes the command and arguments separately.

Similarly, replace the spawnSync call on line 50 with a call that passes the command and arguments separately.

Ensure that the message and bumpType variables are properly sanitized or escaped if necessary.

common/autoinstallers/lint/commit-lint.js

+const result = child_process.spawnSync(
+  "sh",
+  ["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
+  {
+    stdio: "inherit",
+  },
+);


To fix the problem, we should avoid constructing the shell command as a single string and instead pass the command and its arguments separately to child_process.spawnSync. This way, the shell does not interpret the arguments, and we avoid issues with special characters in paths.

Replace the dynamic command string with an array of arguments.

Use child_process.spawnSync without the sh -c option to directly execute the command with the provided arguments.

common/scripts/sort_deps.js

+    spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+      stdio: 'inherit',
+      shell: false,
+    })


To fix the problem, we should avoid constructing the command string dynamically and instead pass the command and its arguments separately to spawnSync. This approach ensures that the arguments are not interpreted by the shell, thus preventing potential injection attacks.

We will modify the spawnSync calls to use execFileSync instead, passing the command and arguments as separate parameters. This change will be made in both instances where spawnSync is used.

common/scripts/sort_deps.js

+      spawnSync('sh', ['-c', `prettier -w ${pkgJsonPath}`], {
+        stdio: 'inherit',
+        shell: false,
+      }) 


To fix the problem, we should avoid constructing the command string dynamically and instead pass the command and its arguments separately to spawnSync. This approach ensures that the arguments are not interpreted by the shell, preventing any possibility of command injection.

Replace the dynamically constructed command string with separate command and arguments.

Use spawnSync with the prettier command and the -w argument followed by the pkgJsonPath.

docs/src/markdown.tsx

+
+function htmlRestore(str: string) {
+  let result = '';
+  result = str.replace(/&amp;/g, '&');


To fix the problem, we need to ensure that the htmlRestore function unescapes the ampersand (&) last. This will prevent any issues with double unescaping, ensuring that other entities are correctly decoded before the ampersand is processed.

Change the order of the replacements in the htmlRestore function.

Specifically, move the line result = result.replace(/&/g, '&'); to the end of the function.

packages/vmind/src/common/utils/skylark.ts

+};
+
+const isStringArray = (str: string) => {
+  const regex = /^(.*)\: ".+"(, ".+")+$/;


To fix the problem, we need to remove the ambiguity in the regular expression. The main issue is with the .* and .+ patterns, which can match overlapping parts of the input string. We can replace .* with a more specific pattern that matches any character except a double quote, ensuring that the regular expression remains efficient.

Replace .* with [^"]* to match any character except a double quote.

Ensure that the regular expression still matches the intended input strings without causing performance issues.

packages/vmind/src/core/VMind.ts

+      this._applicationMap[name] = {};
+    }
+    this._applicationMap[name][modelType] = new BaseApplication(applicationMeta);
+    return;


To fix the problem, we need to ensure that the name property from applicationMeta cannot be used to modify Object.prototype. We can achieve this by checking if name is one of the special properties (__proto__, constructor, prototype) and rejecting it if so. This will prevent prototype pollution while maintaining the existing functionality.

packages/vmind/src/core/VMind.ts

+      if (originalTaskNode) {
+        originalTaskNode.taskNode = taskNode.taskNode;
+        this._applicationMap[applicationName][modelType] = new BaseApplication(applicationMeta);
+      } else {


To fix the problem, we need to ensure that the applicationName parameter cannot be used to modify the Object.prototype. This can be achieved by validating the applicationName to ensure it does not contain any special property names like __proto__, constructor, or prototype.

The best way to fix this without changing existing functionality is to add a validation check at the beginning of the setTaskNode method. If the applicationName is one of the restricted property names, we should throw an error or handle it appropriately.

build: prelease version 1.3.1

b5c9e78

github-actions bot added the release label Dec 3, 2024

github-actions bot requested a review from da730 December 3, 2024 08:55

666haiwen force-pushed the release/1.3.1 branch from 963c635 to b5c9e78 Compare February 20, 2025 07:54

github-actions bot added vmind calculator chart-advisor labels Feb 20, 2025

github-advanced-security bot found potential problems Feb 20, 2025

View reviewed changes

666haiwen force-pushed the main branch from 540370d to baff96d Compare February 20, 2025 07:59

666haiwen force-pushed the release/1.3.1 branch 2 times, most recently from 963c635 to b5c9e78 Compare February 20, 2025 08:26

xile611 closed this Apr 11, 2025

@@ -33,3 +33,4 @@
               } else {
-                const result = spawnSync('sh', ['-c', `echo ${message} | ${commitLintBinPath} --config ${commitLineConfigPath}`], {
+                const result = spawnSync(commitLintBinPath, ['--config', commitLineConfigPath], {
+                  input: message,
                   stdio: 'inherit'
@@ -49,3 +50,3 @@
-              spawnSync('sh', ['-c', `rush change --bulk --bump-type '${bumpType}' --message '${message}'`], {
+              spawnSync('rush', ['change', '--bulk', '--bump-type', bumpType, '--message', message], {
                 stdio: 'inherit',

@@ -50,4 +50,3 @@
               let result = '';
-              result = str.replace(/&amp;/g, '&');
-              result = result.replace(/&lt;/g, '<');
+              result = str.replace(/&lt;/g, '<');
               result = result.replace(/&gt;/g, '>');
@@ -56,2 +55,3 @@
               result = result.replace(/&quot;/g, '"');
+              result = result.replace(/&amp;/g, '&');
               return result;

@@ -51,3 +51,3 @@
             const isStringArray = (str: string) => {
-              const regex = /^(.*)\: ".+"(, ".+")+$/;
+              const regex = /^([^"]*)\: ".+"(, ".+")+$/;
               return regex.test(str);

@@ -65,2 +65,5 @@
                 const { name } = applicationMeta;
+                if (name === '__proto__' || name === 'constructor' || name === 'prototype') {
+                  throw new Error('Invalid application name');
+                }
                 if (!this._applicationMap[name]) {

@@ -73,2 +73,5 @@
               setTaskNode(applicationName: string, modelType: ModelType | string, taskNode: TaskNode<any>) {
+                if (applicationName === '__proto__' || applicationName === 'constructor' || applicationName === 'prototype') {
+                  throw 'Invalid application name!';
+                }
                 const applicationMeta = this._runtimeMetaMap[applicationName]?.[modelType];

@@ -14,4 +14,4 @@
             const result = child_process.spawnSync(
-              "sh",
-              ["-c", `${commitlintBinPath} --config ${configPath} --cwd ${path.dirname(gitPath)} --edit`],
+              commitlintBinPath,
+              ["--config", configPath, "--cwd", path.dirname(gitPath), "--edit"],
               {

[Auto release] release 1.3.1 #170

[Auto release] release 1.3.1 #170

Uh oh!

Conversation

github-actions bot commented Dec 3, 2024

Uh oh!

Check warning

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Uh oh!

Check warning

Check warning

Uh oh!

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Copilot Autofix

Check failure

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Check warning

Uh oh!

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants