deno-cliffy icon indicating copy to clipboard operation
deno-cliffy copied to clipboard

Published 20 hours ago • verified publisher icon c4spar

CodeQL Security Warning

Open grempe opened this issue 2 years ago • 1 comments

The GitHub CodeQL security scanning tool is reporting a security issue in this lib for a repo where I include it as a dependency.

Incomplete string escaping or encoding A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective.

It seems to be referencing the code here:

https://github.com/c4spar/deno-cliffy/blob/99ccc2a38d319d06cd0c8e80a22fdc3f9dde8a1d/command/completions/_zsh_completions_generator.ts#L257

A screenshot of the warning:

Screen Shot 2021-12-15 at 2 25 32 PM .

grempe avatar Dec 15 '21 19:12 grempe

@grempe sry for late reply!

Thx for the report. I'm aware that this code should be improved and does not work correctly in all cases. But i think it's not a crytical security issue as this code is only used when the completions script from the completions command is used and the values passed to the script are come the cli author anyway. It could become critical if the values passed to the command come from a third party library.

But i agree we should fix this.

c4spar avatar Mar 16 '22 20:03 c4spar