From 425c4c182f3ba1b77057c91ded023677050922f0 Mon Sep 17 00:00:00 2001 From: 1092841848 <1092841848@qq.com> Date: Fri, 29 May 2026 05:33:26 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20security=20issues=20=E2=80=94=20shell=20?= =?UTF-8?q?injection,=20hardcoded=20IP,=20.DS=5FStore,=20.gitignore?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - patch_config.sh: validate KEY (alphanumeric+underscore only) and escape sed special characters in VAL to prevent shell injection - SKILL.md: redact hardcoded internal IP address (10.95.239.139) - Remove tracked .DS_Store file (Cute-Learn/.DS_Store) - .gitignore: add .DS_Store, .env, Thumbs.db, editor temp files Co-Authored-By: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --- .gitignore | 14 ++++++++++++++ Cute-Learn/.DS_Store | Bin 6148 -> 0 bytes MySkills/.claude/skills/nsys-profile-fd/SKILL.md | 2 +- .../nsys-profile-fd/scripts/patch_config.sh | 11 ++++++++++- 4 files changed, 25 insertions(+), 2 deletions(-) delete mode 100644 Cute-Learn/.DS_Store diff --git a/.gitignore b/.gitignore index 4ea2280..d09e814 100644 --- a/.gitignore +++ b/.gitignore @@ -14,3 +14,17 @@ CUDA-Learn/cg_demo *.fatbin *.cubin *.ptx + +# OS-generated files +.DS_Store +Thumbs.db + +# Secrets and environment files +.env +.env.* +!.env.example + +# Editor/IDE files +*.swp +*.swo +*~ diff --git a/Cute-Learn/.DS_Store b/Cute-Learn/.DS_Store deleted file mode 100644 index 5008ddfcf53c02e82d7eee2e57c38e5672ef89f6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeH~Jr2S!425mzP>H1@V-^m;4Wg<&0T*E43hX&L&p$$qDprKhvt+--jT7}7np#A3 zem<@ulZcFPQ@L2!n>{z**++&mCkOWA81W14cNZlEfg7;MkzE(HCqgga^y>{tEnwC%0;vJ&^%eQ zLs35+`xjp>T0 wait_port = 8291 nsys_session = zsg ``` diff --git a/MySkills/.claude/skills/nsys-profile-fd/scripts/patch_config.sh b/MySkills/.claude/skills/nsys-profile-fd/scripts/patch_config.sh index de4a326..f5781ca 100755 --- a/MySkills/.claude/skills/nsys-profile-fd/scripts/patch_config.sh +++ b/MySkills/.claude/skills/nsys-profile-fd/scripts/patch_config.sh @@ -21,8 +21,17 @@ if [ ! -f "$FILE" ]; then exit 1 fi +# Validate KEY: only allow alphanumeric chars and underscores +if ! echo "$KEY" | grep -qE '^[A-Za-z_][A-Za-z0-9_]*$'; then + echo "错误: key 只允许字母、数字和下划线: $KEY" >&2 + exit 1 +fi + +# Escape sed special characters in VAL (/, &, \) +ESCAPED_VAL=$(printf '%s' "$VAL" | sed 's/[\/&\\]/\\&/g') + # 替换 JSON 字段值(匹配 "key": 任意值,直到逗号或右花括号前) -sed -i "s/\"${KEY}\":[[:space:]]*[^,}]*/\"${KEY}\":${VAL}/" "$FILE" +sed -i "s/\"${KEY}\":[[:space:]]*[^,}]*/\"${KEY}\":${ESCAPED_VAL}/" "$FILE" # 验证替换结果 RESULT=$(grep "\"${KEY}\"" "$FILE")