Skip to content

fix(codeSign) shell command built from environment values #3377

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2025
Merged

fix(codeSign) shell command built from environment values #3377

merged 1 commit into from
May 31, 2025

Conversation

odaysec
Copy link
Contributor

@odaysec odaysec commented May 27, 2025

headlamp/app/mac/scripts/codeSign.js

Line 2 in 5a33401

const { execSync } = require('child_process');

headlamp/app/mac/scripts/codeSign.js

Lines 17 to 18 in 5a33401

execSync(
`codesign -s ${teamID} --deep --force --options runtime --entitlements ${entitlementsPath} ${config.app}`

Fix the issue will replace the use of execSync with execFileSync, which allows us to pass the command and its arguments separately. This approach avoids shell interpretation of the arguments, mitigating the risk of command injection. Specifically:

  1. The codesign command will be passed as the first argument to execFileSync.
  2. The dynamic components (teamID, entitlementsPath, and config.app) will be passed as separate arguments in an array.
  3. This change ensures that special characters in the inputs are treated as literal values and not interpreted by the shell.

@odaysec
Update codeSign.js
7fa03e0 
Signed-off-by: Zeroday BYTE <[email protected]>
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label May 27, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @odaysec!

It looks like this is your first PR to kubernetes-sigs/headlamp 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/headlamp has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot requested review from skoeva and yolossn May 27, 2025 22:20
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 27, 2025
illume
illume approved these changes May 31, 2025
View reviewed changes
Copy link
Contributor

@illume illume left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉🎈 thanks!

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: illume, odaysec

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 31, 2025
@illume illume merged commit 5bc0a9d into kubernetes-sigs:main May 31, 2025
10 of 11 checks passed
@illume illume added security mac Issues related to Mac OS app labels May 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@illume illume illume approved these changes

@skoeva skoeva Awaiting requested review from skoeva

@yolossn yolossn Awaiting requested review from yolossn

Assignees
No one assigned
Labels
app approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. mac Issues related to Mac OS security size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@odaysec @k8s-ci-robot @illume