codeflash-admin/codeflash
1
0
Fork 0
mirror of https://github.com/codeflash-ai/codeflash.git synced 2026-05-04 18:25:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Coding super-intelligence to find the most optimized Python code. Use it to optimize existing codebases or new Pull requests as a GitHub Action or a VS Code Extension.
7713 commits 508 branches 66 tags 118 MiB
Python 89.4%
Java 5.8%
JavaScript 4.3%
TypeScript 0.4%
Find a file
mohammed ahmed e0a0671cf3 Fix CRITICAL JavaScript code injection vulnerability in Jest config generation 
**Issue #17:** Unsanitized file paths in f-string interpolation can inject
arbitrary JavaScript code into the generated Jest config file.

**Severity:** CRITICAL

**Root Cause:**
File: /opt/codeflash/codeflash/languages/javascript/test_runner.py:516, 524, 565

Three locations used f-string interpolation to embed paths into JavaScript code
without escaping:

1. Line 516: `test_dirs_js = ", ".join(f"'{d}'" for d in sorted(test_dirs))`
2. Line 524: `f"moduleDirectories: [..., '{monorepo_node_modules}'],"`
3. Line 565: `f"roots: ['{project_root}', {test_dirs_js}],"`

If any path contains a single quote (`'`), it breaks out of the string and
executes arbitrary JavaScript. Example:

**Malicious path:** `/tmp/test']; console.log('INJECTED'); roots=['`

**Vulnerable output:**
```javascript
roots: ['/project', '/tmp/test']; console.log('INJECTED'); roots=[''],
                                ^-- breaks string, executes code
```

**Impact:**
- **Code injection:** Arbitrary JavaScript execution when Jest loads config
- **Attack vector:** User-controlled paths (test directories, monorepo paths)
- **Scope:** Any project where test dirs or project root contains quote char
- **Risk:** HIGH - While uncommon, paths can be influenced via symlinks,
  mount points, or malicious repository names

**Fix:**
Use `json.dumps()` to properly escape all paths before embedding in JavaScript:

1. Line 516: `json.dumps(d)` instead of `f"'{d}'"`
2. Line 524: `json.dumps(monorepo_node_modules)` instead of f-string
3. Line 565: `json.dumps(str(project_root))` instead of f-string

`json.dumps()` wraps strings in double quotes and properly escapes special
characters, preventing injection.

**After fix:**
```javascript
roots: ["/project", "/tmp/test']; console.log('INJECTED'); roots=['"],
                   ^-- double quoted, single quotes are string content (safe)
```

**Files Changed:**
- codeflash/languages/javascript/test_runner.py (3 injection points fixed)
- tests/test_languages/test_javascript_injection_bug.py (new test file, 2 tests)

**Testing:**
- 2 new tests specifically for injection vulnerability (both pass)
- 2 existing test_runner tests pass
- All tests verify paths are JSON-escaped (double-quoted)

**Security Note:**
This vulnerability was found through proactive code review (autoresearch:debug).
No known exploits in the wild. Fixed before public disclosure.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-06 16:32:36 +00:00
.claude fix: make post-edit lint hook surface real errors 2026-03-27 18:01:16 -05:00
.codex chore: update tessl agent config files 2026-02-18 20:23:23 -05:00
.gemini chore: update tessl agent config files 2026-02-18 20:23:23 -05:00
.github Merge branch 'main' into java-config-redesign 2026-03-27 14:10:00 +02:00
code_to_optimize fix: update codeflash-runtime version in test fixture pom.xml files 2026-04-01 23:13:37 +00:00
codeflash Fix CRITICAL JavaScript code injection vulnerability in Jest config generation 2026-04-06 16:32:36 +00:00
codeflash-benchmark Merge commit '6346c740' into sync-main-batch-4 2026-02-19 21:26:23 -05:00
codeflash-java-runtime chore: bump codeflash-java-runtime version to 1.0.1 2026-04-01 22:33:47 +00:00
docs Merge pull request #1948 from codeflash-ai/docs/codeflash-installation-for-js-and-ts 2026-04-02 14:10:34 +05:30
experiments fix: lint issues in experiments folder and format fixes 2026-01-29 19:26:50 +05:30
packages/codeflash Merge pull request #1899 from codeflash-ai/cf-fix-v8-serializer-cross-context 2026-03-26 23:52:17 +05:30
tests Fix CRITICAL JavaScript code injection vulnerability in Jest config generation 2026-04-06 16:32:36 +00:00
.gitignore feat: add Claude Code post-edit lint hook using prek 2026-03-27 08:25:36 -05:00
.mcp.json Add MCP config for .mcp.json 2026-02-15 00:20:41 +00:00
.pre-commit-config.yaml chore: bump ruff-pre-commit to v0.15.8 and update lockfile 2026-03-27 09:06:42 -05:00
CLAUDE.md chore: reorganize Claude rules and add workflow guidelines 2026-03-27 09:43:53 -05:00
codeflash.code-workspace improve codeflash debugging 2025-06-26 15:00:35 -07:00
LICENSE fix: update license format to use license-files 2026-02-17 05:54:21 +00:00
mypy_allowlist.txt fix: remove deleted cli_common.py from mypy_allowlist.txt 2026-03-17 08:18:45 +00:00
pyproject.toml feat: add --memory flag to codeflash compare for peak memory profiling 2026-04-02 10:29:31 -05:00
README.md release/v0.17.0 (#756) 2025-09-23 14:02:30 -07:00
SECURITY.md Create SECURITY.md 2025-08-06 18:50:57 -07:00
tessl.json chore: update tessl tiles and upgrade dependencies 2026-02-18 20:23:23 -05:00
uv.lock feat: add --memory flag to codeflash compare for peak memory profiling 2026-04-02 10:29:31 -05:00

README.md

Codeflash-banner

GitHub commit activity PyPI Downloads PyPI Downloads

Codeflash is a general purpose optimizer for Python that helps you improve the performance of your Python code while maintaining its correctness. It uses advanced LLMs to generate multiple optimization ideas for your code, tests them to be correct and benchmarks them for performance. It then creates merge-ready pull requests containing the best optimization found, which you can review and merge.

How to use Codeflash -

  • Optimize an entire existing codebase by running codeflash --all
  • Automate optimizing all future code you will write by installing Codeflash as a GitHub action.
  • Optimize a Python workflow python myscript.py end-to-end by running codeflash optimize myscript.py

Codeflash is used by top engineering teams at Pydantic (PRs Merged), Roboflow (PRs Merged 1, PRs Merged 2), Unstructured (PRs Merged 1, PRs Merged 2), Langflow (PRs Merged) and many others to ship performant, expert level code.

Codeflash is great at optimizing AI Agents, Computer Vision algorithms, PyTorch code, numerical code, backend code or anything else you might write with Python.

Installation

To install Codeflash, run:

pip install codeflash

Add codeflash as a development time dependency if you are using package managers like uv or poetry.

Quick Start

  1. To configure Codeflash for a project, at the root directory of your project where the pyproject.toml file is located, run:

    codeflash init
    • It will ask you a few questions about your project like the location of your code and tests
    • Ask you to generate an API Key to access Codeflash's LLMs
    • Install a GitHub app to open Pull Requests on GitHub.
    • Ask if you want to setup a GitHub actions which will optimize all your future code.
    • The codeflash config is then saved in the pyproject.toml file.

  2. Optimize your entire codebase:

    codeflash --all

    This can take a while to run for a large codebase, but it will keep opening PRs as it finds optimizations.

  3. Optimize a script:

    codeflash optimize myscript.py

Documentation

For detailed installation and usage instructions, visit our documentation at docs.codeflash.ai

Demo

  • Optimizing the performance of new code for a Pull Request through GitHub Actions. This lets you ship code quickly while ensuring it remains performant.

https://github.com/user-attachments/assets/38f44f4e-be1c-4f84-8db9-63d5ee3e61e5

  • Optiming a workflow end to end automatically with codeflash optimize

https://github.com/user-attachments/assets/355ba295-eb5a-453a-8968-7fb35c70d16c

Support

Join our community for support and discussions. If you have any questions, feel free to reach out to us using one of the following methods:

License

Codeflash is licensed under the BSL-1.1 License. See the LICENSE file for details.