Skip to content

fix: remove shell usage from plugin check #1367

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aaronpowell merged 2 commits into from
Apr 10, 2026
Merged

fix: remove shell usage from plugin check #1367

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d5f35a4
fix: remove shell usage from plugin check
aaronpowell Apr 10, 2026
1b8dfff
fix: harden plugin symlink scan
aaronpowell Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 45 additions & 7 deletions .github/workflows/check-plugin-structure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,50 @@ jobs:
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const { execSync } = require('child_process');
const fs = require('fs');
const path = require('path');

const pluginsDir = 'plugins';
const errors = [];

function findSymlinks(rootDir) {
const symlinks = [];
const dirsToScan = [rootDir];

while (dirsToScan.length > 0) {
const currentDir = dirsToScan.pop();
let entries;

try {
entries = fs.readdirSync(currentDir, { withFileTypes: true });
} catch (error) {
throw new Error(`Failed to read directory "${currentDir}": ${error.message}`);
}

for (const entry of entries) {
const entryPath = path.join(currentDir, entry.name);
let stat;

try {
stat = fs.lstatSync(entryPath);
} catch (error) {
throw new Error(`Failed to inspect "${entryPath}": ${error.message}`);
}

if (stat.isSymbolicLink()) {
symlinks.push(entryPath);
continue;
}

if (stat.isDirectory()) {
dirsToScan.push(entryPath);
}
}
}

return symlinks;
}

if (!fs.existsSync(pluginsDir)) {
console.log('No plugins directory found');
return;
Expand Down Expand Up @@ -63,14 +100,15 @@ jobs:
}
}

// Check for symlinks anywhere in the plugin directory
// Check for symlinks anywhere in the plugin directory without invoking a shell
try {
const allFiles = execSync(`find "${pluginPath}" -type l`, { encoding: 'utf-8' }).trim();
if (allFiles) {
errors.push(`${pluginPath} contains symlinks:\n${allFiles}`);
const symlinkPaths = findSymlinks(pluginPath);
if (symlinkPaths.length > 0) {
const formattedPaths = symlinkPaths.map(filePath => `\`${filePath}\``).join(', ');
errors.push(`${pluginPath} contains symlinks: ${formattedPaths}`);
Comment on lines +106 to +108
Copy link

Copilot AI Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

formattedPaths wraps user-controlled filesystem names in Markdown inline code without escaping. A crafted symlink filename containing backticks/newlines (or @mentions) can break formatting and potentially inject unwanted Markdown into the PR review body. Consider escaping Markdown special characters in filePath (at least backticks/newlines) or rendering the symlink list inside a fenced code block with safe escaping.

Copilot uses AI. Check for mistakes.
}
} catch (e) {
// find returns non-zero if no matches, ignore
} catch (error) {
errors.push(`Failed to inspect ${pluginPath} for symlinks: ${error.message}`);
}
}

Expand Down
Loading