Injection vulnerability? #163
Comments
|
Thanks for looking out for these things. The override here is taken from a commandline argument, so there is no injection risk. The reason I use eval is because I personally prefer not having to write double quotes around all properties when quickly testing out an override. |
|
@guybedford Makes sense, and the config files are JSON format so they won't work if someone makes a PR with code in them. |
This was referenced Sep 12, 2021
guybedford
pushed a commit
that referenced
this issue
Apr 8, 2023
guybedford
pushed a commit
that referenced
this issue
Apr 8, 2023
guybedford
pushed a commit
that referenced
this issue
Apr 8, 2023
guybedford
pushed a commit
that referenced
this issue
Apr 8, 2023
guybedford
pushed a commit
that referenced
this issue
Apr 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/jspm/jspm-cli/blob/master/cli.js#L141
When the registry gets bigger, a an injection in a pull request could easily be missed.
The text was updated successfully, but these errors were encountered: