fix(action): command allowlist + no-direct-launchdarkly opt-out#203
Conversation
…y opt-out - Add command allowlist (validate|scan|audit|migrate) with exit 2 on unknown values — prevents shell injection via the command input - Add no-direct-launchdarkly input (default: true) so validate-only teams using baseline mode can opt out without losing the flag entirely - Document migrate as a supported command alongside validate/scan/audit - Use ARGS array to safely compose flags before npx invocation Signed-off-by: Krishan Kant Sharma <krishansharma0327@gmail.com>
📝 WalkthroughWalkthroughThis PR updates the composite GitHub Action's ChangesFlagLint Action Configuration
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Workflow
participant ActionStep
participant flaglintCLI
Workflow->>ActionStep: run with inputs.command, no-direct-launchdarkly
ActionStep->>ActionStep: validate command against allowlist
ActionStep->>ActionStep: build ARGS with --no-direct-launchdarkly if validate
ActionStep->>flaglintCLI: npx flaglint with ARGS and FLAGLINT_EXTRA_ARGS
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
action.yml (1)
58-64: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueStrict boolean comparison for
no-direct-launchdarkly.
FLAGLINT_NO_DIRECT_LDis only matched against the literal"true"(Line 59). Values like"True","1", or"yes"silently fall through to false with no warning, which could surprise users who don't use the exact lowercase string.♻️ Optional: case-insensitive check
- if [ "$FLAGLINT_COMMAND" = "validate" ] && [ "$FLAGLINT_NO_DIRECT_LD" = "true" ]; then + if [ "$FLAGLINT_COMMAND" = "validate" ] && [ "${FLAGLINT_NO_DIRECT_LD,,}" = "true" ]; thenArgument construction via
ARGSarray and quoting ofFLAGLINT_DIRECTORY/FLAGLINT_COMMAND/FLAGLINT_VERSIONotherwise looks correct and safe.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@action.yml` around lines 58 - 64, The `FLAGLINT_NO_DIRECT_LD` check in the `action.yml` shell step is too strict because it only accepts the exact lowercase string `"true"`. Update the boolean handling around the `ARGS` construction and `FLAGLINT_COMMAND` check so `no-direct-launchdarkly` is enabled for common truthy values such as `True`, `1`, or `yes` as well, while keeping the existing safe quoting of `FLAGLINT_VERSION`, `FLAGLINT_COMMAND`, and `FLAGLINT_DIRECTORY`.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@action.yml`:
- Around line 58-64: The `FLAGLINT_NO_DIRECT_LD` check in the `action.yml` shell
step is too strict because it only accepts the exact lowercase string `"true"`.
Update the boolean handling around the `ARGS` construction and
`FLAGLINT_COMMAND` check so `no-direct-launchdarkly` is enabled for common
truthy values such as `True`, `1`, or `yes` as well, while keeping the existing
safe quoting of `FLAGLINT_VERSION`, `FLAGLINT_COMMAND`, and
`FLAGLINT_DIRECTORY`.
Problem
Three issues in
action.yml:commandinput was passed directly to the shell with no validation.command: "validate; rm -rf /"would execute.--no-direct-launchdarklywas hardcoded for validate — teams using baseline-only mode (--baseline --fail-on-new) couldn't opt out of the LD call check.migratewas undocumented as a supported command.Fix
caseallowlist:validate|scan|audit|migrate— anything else exits 2 with a clear errorno-direct-launchdarklyinput (default:true) — only applied whencommand: validatemigratein the input descriptionARGSarray to compose flags safely before thenpxcallMigration
No breaking change. Default behaviour is identical:
command: validatestill passes--no-direct-launchdarklyby defaultno-direct-launchdarkly: "false"Test plan
command: scanruns without injecting--no-direct-launchdarklycommand: auditruns without injecting--no-direct-launchdarklycommand: validatestill injects--no-direct-launchdarklyby defaultcommand: validatewithno-direct-launchdarkly: "false"omits the flagcommand: badvalueexits 2 with error messageSummary by CodeRabbit
New Features
migrate.Bug Fixes