Skip to content

Vulnerabilities Dashboard - CodeΒ #1

New issue
New issue
Open
Open
Vulnerabilities Dashboard - Code#1
@j2nullify-nullify

Description

@j2nullify-nullify
j2nullify-nullify
bot
opened on Aug 8, 2024

Severity Threshold: πŸ”΅ MEDIUM

16 Potential vulnerability sources found within this repo

πŸ”΄ CRITICAL 🟑 HIGH πŸ”΅ MEDIUM βšͺ LOW
0 0 16 0

ID: 01J4R31H3PD992RG02MG66WPYS Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Line 7 in 591c70a

diff = subprocess.check_output(["git", "diff", "origin/main...HEAD"]).decode()

ID: 01J57ESRTXPK3BFDKVC6XQP6BZ Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/pull_request_review.py

Line 8 in 591c70a

return subprocess.check_output(["git", "rev-parse", "--abbrev-ref", "HEAD"]).decode().strip()

ID: 01J4R22S839VFHMXJK60P10R52 Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/cli.py

Line 11 in 591c70a

history = subprocess.getoutput("history")

ID: 01J57ESRTXPK3BFDKVC9XQPM0S Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/pull_request_review.py

Line 12 in 591c70a

pr_info = subprocess.check_output(["gh", "pr", "view", "--json", "number"]).decode()

ID: 01J4R22S839VFHMXJK62YANTNB Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/commit.py

Line 13 in 591c70a

git_diff_output = subprocess.getoutput("git diff --cached")

ID: 01J4R31H3PD992RG02MH8VEVNK Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Line 16 in 591c70a

current_branch = subprocess.check_output(["git", "rev-parse", "--abbrev-ref", "HEAD"]).decode().strip()

ID: 01J4R31H3PD992RG02MM3FGBPY Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Line 19 in 591c70a

subprocess.run(["git", "push", "--set-upstream", "origin", current_branch])

ID: 01J57ESRTXPK3BFDKVCABAKVC4 Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/pull_request_review.py

Line 19 in 591c70a

diff = subprocess.check_output(["gh", "pr", "diff", str(pr_number)]).decode()

ID: 01J4R22S839VFHMXJK60V88Q5W Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Found subprocess function $FUNC with shell=True. This is dangerous because this call will
spawn the command using a shell process. Doing so propagates current shell settings and
variables,
which makes it much easier for a malicious actor to execute commands. Use shell=False
instead.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/cli.py

Line 30 in 591c70a

result = subprocess.run(selected_bash_command, check=True, shell=True)

ID: 01J4R22S839VFHMXJK6435KKTB Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/commit.py

Line 59 in 591c70a

result = subprocess.run(["git", "commit", "-m", value])

ID: 01J57ESRTXPK3BFDKVBYMQ6ESC Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Lines 66 to 68 in 591c70a

result = subprocess.run([
"gh", "pr", "create", "--title", pr_title, "--body", pr_description,
"--label", pr_label])

ID: 01J57ESRTXPK3BFDKVCACSM2QX Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/pull_request_review.py

Lines 68 to 72 in 591c70a

result = subprocess.run([
"gh", "pr", "review", str(pr_number),
"--body", review_comment,
"--comment"
])

ID: 01J57ESRTXPK3BFDKVBZ5PY7K1 Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Lines 70 to 72 in 591c70a

result = subprocess.run([
"gh", "pr", "edit", "--title", pr_title, "--body", pr_description,
"--label", pr_label])

ID: 01J4R31H3PD992RG02MPJVHQM1 Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Line 90 in 591c70a

result = subprocess.run(["gh", "pr", "create", "--title", pr_title, "--body", pr_description])

ID: 01J4R31H3PD992RG02MRZJJGBE Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/make_pull_request.py

Line 92 in 591c70a

result = subprocess.run(["gh", "pr", "edit", "--title", pr_title, "--body", pr_description])

ID: 01J57ESRTXPK3BFDKVCAV1ZCWJ Language: Python Severity: πŸ”΅ MEDIUM CWE-78

Improper Neutralization of Special Elements used in an OS Command

Python possesses many mechanisms to invoke an external executable. However,
doing so may present a security issue if appropriate care is not taken to
sanitize any user provided or variable input. This plugin test is part of a
family of tests built to check for process spawning and warn appropriately.
Specifically, this test looks for the spawning of a subprocess without the
use of a command shell. This type of subprocess invocation is not
vulnerable to shell injection attacks, but care should still be taken to
ensure validity of input.

Read more:
https://cwe.mitre.org/data/definitions/78.html

ai-git-commit/app/pull_request_review.py

Line 97 in 591c70a

subprocess.run(["python", "app/make_pull_request.py"])

Reply with /nullify to interact with me like another developer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions