mirror of
https://github.com/codeflash-ai/codeflash.git
synced 2026-05-04 18:25:17 +00:00
e0a0671cf3
**Issue #17:** Unsanitized file paths in f-string interpolation can inject
arbitrary JavaScript code into the generated Jest config file.
**Severity:** CRITICAL
**Root Cause:**
File: /opt/codeflash/codeflash/languages/javascript/test_runner.py:516, 524, 565
Three locations used f-string interpolation to embed paths into JavaScript code
without escaping:
1. Line 516: `test_dirs_js = ", ".join(f"'{d}'" for d in sorted(test_dirs))`
2. Line 524: `f"moduleDirectories: [..., '{monorepo_node_modules}'],"`
3. Line 565: `f"roots: ['{project_root}', {test_dirs_js}],"`
If any path contains a single quote (`'`), it breaks out of the string and
executes arbitrary JavaScript. Example:
**Malicious path:** `/tmp/test']; console.log('INJECTED'); roots=['`
**Vulnerable output:**
```javascript
roots: ['/project', '/tmp/test']; console.log('INJECTED'); roots=[''],
^-- breaks string, executes code
```
**Impact:**
- **Code injection:** Arbitrary JavaScript execution when Jest loads config
- **Attack vector:** User-controlled paths (test directories, monorepo paths)
- **Scope:** Any project where test dirs or project root contains quote char
- **Risk:** HIGH - While uncommon, paths can be influenced via symlinks,
mount points, or malicious repository names
**Fix:**
Use `json.dumps()` to properly escape all paths before embedding in JavaScript:
1. Line 516: `json.dumps(d)` instead of `f"'{d}'"`
2. Line 524: `json.dumps(monorepo_node_modules)` instead of f-string
3. Line 565: `json.dumps(str(project_root))` instead of f-string
`json.dumps()` wraps strings in double quotes and properly escapes special
characters, preventing injection.
**After fix:**
```javascript
roots: ["/project", "/tmp/test']; console.log('INJECTED'); roots=['"],
^-- double quoted, single quotes are string content (safe)
```
**Files Changed:**
- codeflash/languages/javascript/test_runner.py (3 injection points fixed)
- tests/test_languages/test_javascript_injection_bug.py (new test file, 2 tests)
**Testing:**
- 2 new tests specifically for injection vulnerability (both pass)
- 2 existing test_runner tests pass
- All tests verify paths are JSON-escaped (double-quoted)
**Security Note:**
This vulnerability was found through proactive code review (autoresearch:debug).
No known exploits in the wild. Fixed before public disclosure.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| benchmarks | ||
| code_utils | ||
| languages | ||
| scripts | ||
| test_languages | ||
| test_setup | ||
| __init__.py | ||
| conftest.py | ||
| mymodule.py | ||
| test_add_language_metadata.py | ||
| test_add_needed_imports_from_module.py | ||
| test_add_runtime_comments.py | ||
| test_async_concurrency_decorator.py | ||
| test_async_function_discovery.py | ||
| test_async_run_and_parse_tests.py | ||
| test_async_wrapper_sqlite_validation.py | ||
| test_call_graph.py | ||
| test_cleanup_instrumented_files.py | ||
| test_cmd_auth.py | ||
| test_cmd_init.py | ||
| test_code_context_extractor.py | ||
| test_code_deduplication.py | ||
| test_code_extractor_none_aliases_exact.py | ||
| test_code_replacement.py | ||
| test_code_replacer_matching.py | ||
| test_code_utils.py | ||
| test_codeflash_capture.py | ||
| test_codeflash_checkpoint.py | ||
| test_codeflash_trace_decorator.py | ||
| test_comparator.py | ||
| test_compare.py | ||
| test_critic.py | ||
| test_early_dedup.py | ||
| test_existing_tests_source_for.py | ||
| test_file_to_no_of_tests.py | ||
| test_formatter.py | ||
| test_function_dependencies.py | ||
| test_function_discovery.py | ||
| test_function_ranker.py | ||
| test_get_code.py | ||
| test_get_helper_code.py | ||
| test_get_read_only_code.py | ||
| test_get_read_writable_code.py | ||
| test_get_testgen_code.py | ||
| test_git_utils.py | ||
| test_humanize_time.py | ||
| test_init_javascript.py | ||
| test_inject_profiling_used_frameworks.py | ||
| test_instrument_all_and_run.py | ||
| test_instrument_async_tests.py | ||
| test_instrument_codeflash_capture.py | ||
| test_instrument_codeflash_trace.py | ||
| test_instrument_line_profiler.py | ||
| test_instrument_tests.py | ||
| test_instrumentation_run_results_aiservice.py | ||
| test_is_numerical_code.py | ||
| test_java_assertion_removal.py | ||
| test_java_multimodule_deps_install.py | ||
| test_java_test_discovery.py | ||
| test_java_test_filter_validation.py | ||
| test_java_tests_project_rootdir.py | ||
| test_javascript_assertion_removal.py | ||
| test_javascript_function_discovery.py | ||
| test_lru_cache_clear.py | ||
| test_merge_test_results.py | ||
| test_merge_tests.py | ||
| test_mock_candidate_replacement.py | ||
| test_multi_file_code_replacement.py | ||
| test_parse_line_profile_test_output.py | ||
| test_parse_pytest_test_failures.py | ||
| test_parse_test_output_regex.py | ||
| test_pickle_patcher.py | ||
| test_property_getter_exclusion.py | ||
| test_pytest_plugin_deterministic_patches.py | ||
| test_ranking_boost.py | ||
| test_reference_graph.py | ||
| test_remove_functions_from_generated_tests.py | ||
| test_remove_test_functions.py | ||
| test_remove_unused_definitions.py | ||
| test_shell_utils.py | ||
| test_static_analysis.py | ||
| test_test_runner.py | ||
| test_trace_benchmarks.py | ||
| test_tracer.py | ||
| test_unit_test_discovery.py | ||
| test_unused_helper_revert.py | ||
| test_validate_javascript_code.py | ||
| test_validate_python_code.py | ||
| test_version_check.py | ||
| test_worktree.py | ||