feat: add public doctor API for programmatic usage [4 of 8]#276
Open
whizzzkid wants to merge 1 commit intofeat/refactor-library-part_3from
Open
feat: add public doctor API for programmatic usage [4 of 8]#276whizzzkid wants to merge 1 commit intofeat/refactor-library-part_3from
whizzzkid wants to merge 1 commit intofeat/refactor-library-part_3from
Conversation
Add library entry points for the doctor module: - src/doctor/api.rs: run() and list() functions for programmatic doctor checks - Export DoctorRunOptions and PathRunResult from doctor module and crate root - Enable library users to run health checks without CLI dependencies Co-Authored-By: Claude (global.anthropic.claude-opus-4-5-20251101-v1:0) <noreply@anthropic.com>
|
This pull request introduces code in src/doctor/api.rs where the run function executes commands taken from repository configuration files (.scope/*.yaml) during both 'check' and 'fix' phases without prompting, using /usr/bin/env -S and an unsafe PATH that includes the repo's bin directories, allowing a malicious repository to achieve arbitrary code execution when a user runs scope doctor. This behavior is currently judged non-blocking but represents a critical security risk because commands run automatically and validation is insufficient.
Configuration-Driven Arbitrary Code Execution in
|
| Vulnerability | Configuration-Driven Arbitrary Code Execution |
|---|---|
| Description | The run function in src/doctor/api.rs executes arbitrary commands defined in the configuration files (.scope/*.yaml) located within the repository being scanned. This execution occurs during both the 'check' phase and the 'fix' phase. Crucially, the 'check' phase and group-level skip checks execute these commands automatically without any user confirmation or prompting. The execution provider uses /usr/bin/env -S to run these command strings, and the validation performed is insufficient as it includes the repository's own bin directories in the search path. An attacker can thus achieve arbitrary code execution by providing a malicious repository that a user runs scope doctor on. |
Lines 79 to 82 in 14d566f
All finding details can be found in the DryRun Security Dashboard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part 4 of 8
This is 4/8 of #265
Description of Changes (auto-gen)
Add library entry points for the doctor module: