- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 1.7k
feat(node-core): Add node-core package #16531
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
|  | ||
| const testScriptPath = path.resolve(__dirname, 'no-additional-listener-test-script.js'); | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | 
Check warning
Code scanning / CodeQL
Shell command built from environment values
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To fix the issue, the shell command should be constructed using childProcess.execFile or childProcess.spawn, which allow passing arguments separately and avoid interpretation by the shell. This ensures that special characters in the path do not alter the command's behavior.
Specifically:
- Replace childProcess.execwithchildProcess.execFile.
- Pass the nodecommand and the script path as separate arguments toexecFile.
- Ensure the encoding option is preserved.
- 
    
    
    Copy modified line R12 
- 
    
    
    Copy modified line R26 
- 
    
    
    Copy modified line R39 
- 
    
    
    Copy modified line R56 
- 
    
    
    Copy modified line R70 
| @@ -11,3 +11,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -25,3 +25,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | ||
| @@ -38,3 +38,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stderr) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -55,3 +55,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -69,3 +69,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | 
|  | ||
| const testScriptPath = path.resolve(__dirname, 'additional-listener-test-script.js'); | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | 
Check warning
Code scanning / CodeQL
Shell command built from environment values
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To fix the issue, we will replace the use of childProcess.exec with childProcess.execFile. The execFile method allows us to pass the command and its arguments as separate parameters, avoiding shell interpretation of the command string. This ensures that special characters in the testScriptPath do not alter the behavior of the command.
Specifically:
- Replace the dynamically constructed shell command `node ${testScriptPath}`with theexecFilemethod, passingnodeas the command and[testScriptPath]as its arguments.
- Update all instances of childProcess.execin the provided code snippet to useexecFile.
- 
    
    
    Copy modified line R12 
- 
    
    
    Copy modified line R26 
- 
    
    
    Copy modified line R39 
- 
    
    
    Copy modified line R56 
- 
    
    
    Copy modified line R70 
| @@ -11,3 +11,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -25,3 +25,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | ||
| @@ -38,3 +38,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stderr) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -55,3 +55,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -69,3 +69,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | 
|  | ||
| const testScriptPath = path.resolve(__dirname, 'log-entire-error-to-console.js'); | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | 
Check warning
Code scanning / CodeQL
Shell command built from environment values
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To fix the issue, replace the use of childProcess.exec with childProcess.execFile. This method allows passing the command and its arguments separately, avoiding shell interpretation of the constructed string. Specifically:
- Replace the interpolated shell command `node ${testScriptPath}`with a direct call tonodeand passtestScriptPathas an argument.
- Ensure all instances of childProcess.execin the file are updated to useexecFilefor consistency and security.
No additional dependencies are required, as childProcess is already imported.
- 
    
    
    Copy modified line R12 
- 
    
    
    Copy modified line R26 
- 
    
    
    Copy modified line R39 
- 
    
    
    Copy modified line R56 
- 
    
    
    Copy modified line R70 
| @@ -11,3 +11,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -25,3 +25,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | ||
| @@ -38,3 +38,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stderr) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -55,3 +55,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -69,3 +69,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | 
|  | ||
| const testScriptPath = path.resolve(__dirname, 'mimic-native-behaviour-no-additional-listener-test-script.js'); | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | 
Check warning
Code scanning / CodeQL
Shell command built from environment values
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To fix the issue, replace the use of childProcess.exec with childProcess.execFile. The execFile method allows passing the command and its arguments as separate parameters, avoiding shell interpretation of the command string. Specifically:
- Replace the dynamically constructed command string `node ${testScriptPath}`with the commandnodeand the argument array[testScriptPath].
- Update all instances of childProcess.execin the file to usechildProcess.execFilewith the appropriate arguments.
This change ensures that the file paths are passed directly to the node executable without being interpreted by the shell, mitigating the risk of command injection.
- 
    
    
    Copy modified line R12 
- 
    
    
    Copy modified line R26 
- 
    
    
    Copy modified line R39 
- 
    
    
    Copy modified line R56 
- 
    
    
    Copy modified line R70 
| @@ -11,3 +11,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -25,3 +25,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | ||
| @@ -38,3 +38,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stderr) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -55,3 +55,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -69,3 +69,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | 
|  | ||
| const testScriptPath = path.resolve(__dirname, 'mimic-native-behaviour-additional-listener-test-script.js'); | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | 
Check warning
Code scanning / CodeQL
Shell command built from environment values
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To fix the issue, replace the use of childProcess.exec with childProcess.execFile. The execFile function allows specifying the command and its arguments separately, bypassing the shell and avoiding interpretation of special characters. This ensures that the testScriptPath is treated as a literal argument to the node command, eliminating the risk of command injection or misinterpretation.
Steps to fix:
- Replace the dynamically constructed shell command `node ${testScriptPath}`with theexecFilefunction.
- Pass nodeas the command and[testScriptPath]as the arguments array toexecFile.
- Ensure all instances of childProcess.execin the provided code are updated to useexecFile.
- 
    
    
    Copy modified line R12 
- 
    
    
    Copy modified line R26 
- 
    
    
    Copy modified line R39 
- 
    
    
    Copy modified line R56 
- 
    
    
    Copy modified line R70 
| @@ -11,3 +11,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -25,3 +25,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | ||
| @@ -38,3 +38,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stderr) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stderr) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -55,3 +55,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).not.toBeNull(); | ||
| @@ -69,3 +69,3 @@ | ||
|  | ||
| childProcess.exec(`node ${testScriptPath}`, { encoding: 'utf8' }, (err, stdout) => { | ||
| childProcess.execFile('node', [testScriptPath], { encoding: 'utf8' }, (err, stdout) => { | ||
| expect(err).toBeNull(); | 
| request: vi | ||
| .fn() | ||
| .mockImplementation((options: https.RequestOptions, callback?: (res: HTTPModuleRequestIncomingMessage) => void) => { | ||
| return https.request({ ...options, rejectUnauthorized: false }, callback); | 
Check failure
Code scanning / CodeQL
Disabling certificate validation
          
            
              
                
              
            
            Show autofix suggestion
            Hide autofix suggestion
          
      Copilot Autofix
AI 5 months ago
To address the issue, we will modify the code to use a secure default configuration (rejectUnauthorized: true) and allow the insecure configuration (rejectUnauthorized: false) only when explicitly required for testing purposes. This can be achieved by introducing a flag or parameter to control the rejectUnauthorized setting dynamically. The default behavior will be secure, and the insecure configuration will be isolated and documented.
- 
    
    
    Copy modified line R70 
- 
    
    
    Copy modified line R74 
- 
    
    
    Copy modified lines R76-R79 
- 
    
    
    Copy modified line R82 
| @@ -69,3 +69,3 @@ | ||
|  | ||
| const unsafeHttpsModule: HTTPModule = { | ||
| const createHttpsModule = (rejectUnauthorized: boolean): HTTPModule => ({ | ||
| request: vi | ||
| @@ -73,8 +73,11 @@ | ||
| .mockImplementation((options: https.RequestOptions, callback?: (res: HTTPModuleRequestIncomingMessage) => void) => { | ||
| return https.request({ ...options, rejectUnauthorized: false }, callback); | ||
| return https.request({ ...options, rejectUnauthorized }, callback); | ||
| }), | ||
| }; | ||
| }); | ||
|  | ||
| const unsafeHttpsModule = createHttpsModule(false); // Insecure configuration for testing purposes | ||
| const secureHttpsModule = createHttpsModule(true); // Secure configuration | ||
|  | ||
| const defaultOptions = { | ||
| httpModule: unsafeHttpsModule, | ||
| httpModule: secureHttpsModule, // Use secure configuration by default | ||
| url: TEST_SERVER_URL, | 
e749085    to
    9e95ca5      
    Compare
  
    9e95ca5    to
    0a23adb      
    Compare
  
    
This PR creates a new
node-corepackageThe package is still experimental and should not be used yet.
Closes: #15213