[Security] Fix ineffective PID validation in treeKill#7444
[Security] Fix ineffective PID validation in treeKill#7444gonzaloriestra wants to merge 1 commit intomainfrom
Conversation
The `treeKill` utility used `Number.isNaN()` on a string variable, which is ineffective for numeric validation as it returns `false` for non-numeric strings. This created a potential command injection risk on Windows where the PID is passed to `exec()`. This PR replaces the flawed check with a robust regex validation `/^\d+$/` to ensure the PID is a valid numeric string.
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
github-actions
Bot
added
the
no-changelog
1 participant
The
treeKillutility usedNumber.isNaN()on a string variable, which is ineffective for numeric validation as it returnsfalsefor non-numeric strings. This created a potential command injection risk on Windows where the PID is passed toexec().This PR replaces the flawed check with a robust regex validation
/^\d+$/to ensure the PID is a valid numeric string.How to test your changes?
Run the newly added tests:
pnpm --filter cli-kit vitest run tree-killPR created automatically by Jules for task 2778250173359050246 started by @gonzaloriestra