Skip to content

fix(action): command allowlist + no-direct-launchdarkly opt-out#203

Merged
flaglint merged 1 commit into
mainfrom
fix/action-command-injection-and-flags
Jul 5, 2026
Merged

fix(action): command allowlist + no-direct-launchdarkly opt-out#203
flaglint merged 1 commit into
mainfrom
fix/action-command-injection-and-flags

Conversation

@Krishan27

@Krishan27 Krishan27 commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator

Problem

Three issues in action.yml:

  1. Shell injectioncommand input was passed directly to the shell with no validation. command: "validate; rm -rf /" would execute.
  2. --no-direct-launchdarkly was hardcoded for validate — teams using baseline-only mode (--baseline --fail-on-new) couldn't opt out of the LD call check.
  3. migrate was undocumented as a supported command.

Fix

  • Add case allowlist: validate|scan|audit|migrate — anything else exits 2 with a clear error
  • Add no-direct-launchdarkly input (default: true) — only applied when command: validate
  • Document migrate in the input description
  • Use ARGS array to compose flags safely before the npx call

Migration

No breaking change. Default behaviour is identical:

  • command: validate still passes --no-direct-launchdarkly by default
  • To disable: no-direct-launchdarkly: "false"

Test plan

  • command: scan runs without injecting --no-direct-launchdarkly
  • command: audit runs without injecting --no-direct-launchdarkly
  • command: validate still injects --no-direct-launchdarkly by default
  • command: validate with no-direct-launchdarkly: "false" omits the flag
  • command: badvalue exits 2 with error message

Summary by CodeRabbit

  • New Features

    • Added a new option to control whether an extra launch mode flag is passed during validation.
    • Expanded supported command options to include migrate.
  • Bug Fixes

    • Prevents unsupported command values from running by validating the selected command before execution.
    • Updates the default tool version to use the latest release by default.

…y opt-out

- Add command allowlist (validate|scan|audit|migrate) with exit 2 on
  unknown values — prevents shell injection via the command input
- Add no-direct-launchdarkly input (default: true) so validate-only teams
  using baseline mode can opt out without losing the flag entirely
- Document migrate as a supported command alongside validate/scan/audit
- Use ARGS array to safely compose flags before npx invocation

Signed-off-by: Krishan Kant Sharma <krishansharma0327@gmail.com>
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR updates the composite GitHub Action's action.yml, adding a no-direct-launchdarkly input, changing the version default to latest, expanding the command description, and reworking the CLI invocation script to validate commands and conditionally pass --no-direct-launchdarkly.

Changes

FlagLint Action Configuration

Layer / File(s) Summary
Input definitions
action.yml
Adds no-direct-launchdarkly boolean input (default true), expands command description to include migrate, and changes version default from 0.8.0 to latest.
CLI invocation logic
action.yml
Validates command against an allowlist, builds an ARGS array that conditionally includes --no-direct-launchdarkly only for validate, and appends FLAGLINT_EXTRA_ARGS to the npx flaglint invocation.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Workflow
  participant ActionStep
  participant flaglintCLI
  Workflow->>ActionStep: run with inputs.command, no-direct-launchdarkly
  ActionStep->>ActionStep: validate command against allowlist
  ActionStep->>ActionStep: build ARGS with --no-direct-launchdarkly if validate
  ActionStep->>flaglintCLI: npx flaglint with ARGS and FLAGLINT_EXTRA_ARGS
Loading

Possibly related PRs

  • flaglint/flaglint-js#193: Both PRs modify action.yml's "Run FlagLint" command logic to apply --no-direct-launchdarkly only for the validate subcommand.
  • flaglint/flaglint-js#199: Both PRs modify action.yml's version input defaulting to "latest" and wire it through to the npx flaglint invocation.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main change: command validation and the new no-direct-launchdarkly opt-out input.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/action-command-injection-and-flags

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
action.yml (1)

58-64: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Strict boolean comparison for no-direct-launchdarkly.

FLAGLINT_NO_DIRECT_LD is only matched against the literal "true" (Line 59). Values like "True", "1", or "yes" silently fall through to false with no warning, which could surprise users who don't use the exact lowercase string.

♻️ Optional: case-insensitive check
-        if [ "$FLAGLINT_COMMAND" = "validate" ] && [ "$FLAGLINT_NO_DIRECT_LD" = "true" ]; then
+        if [ "$FLAGLINT_COMMAND" = "validate" ] && [ "${FLAGLINT_NO_DIRECT_LD,,}" = "true" ]; then

Argument construction via ARGS array and quoting of FLAGLINT_DIRECTORY/FLAGLINT_COMMAND/FLAGLINT_VERSION otherwise looks correct and safe.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@action.yml` around lines 58 - 64, The `FLAGLINT_NO_DIRECT_LD` check in the
`action.yml` shell step is too strict because it only accepts the exact
lowercase string `"true"`. Update the boolean handling around the `ARGS`
construction and `FLAGLINT_COMMAND` check so `no-direct-launchdarkly` is enabled
for common truthy values such as `True`, `1`, or `yes` as well, while keeping
the existing safe quoting of `FLAGLINT_VERSION`, `FLAGLINT_COMMAND`, and
`FLAGLINT_DIRECTORY`.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@action.yml`:
- Around line 58-64: The `FLAGLINT_NO_DIRECT_LD` check in the `action.yml` shell
step is too strict because it only accepts the exact lowercase string `"true"`.
Update the boolean handling around the `ARGS` construction and
`FLAGLINT_COMMAND` check so `no-direct-launchdarkly` is enabled for common
truthy values such as `True`, `1`, or `yes` as well, while keeping the existing
safe quoting of `FLAGLINT_VERSION`, `FLAGLINT_COMMAND`, and
`FLAGLINT_DIRECTORY`.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: af7af4d2-b548-4fcd-a915-32f364614958

📥 Commits

Reviewing files that changed from the base of the PR and between 018e16f and 39fa951.

📒 Files selected for processing (1)
  • action.yml

@flaglint flaglint merged commit 28fa0c1 into main Jul 5, 2026
10 checks passed
@flaglint flaglint deleted the fix/action-command-injection-and-flags branch July 5, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants