deno-cliffy
deno-cliffy copied to clipboard
CodeQL Security Warning
The GitHub CodeQL security scanning tool is reporting a security issue in this lib for a repo where I include it as a dependency.
Incomplete string escaping or encoding A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective.
It seems to be referencing the code here:
https://github.com/c4spar/deno-cliffy/blob/99ccc2a38d319d06cd0c8e80a22fdc3f9dde8a1d/command/completions/_zsh_completions_generator.ts#L257
A screenshot of the warning:
.
@grempe sry for late reply!
Thx for the report. I'm aware that this code should be improved and does not work correctly in all cases. But i think it's not a crytical security issue as this code is only used when the completions script from the completions command is used and the values passed to the script are come the cli author anyway. It could become critical if the values passed to the command come from a third party library.
But i agree we should fix this.