fix: remove unsafe exec() in forc_template.rs#7610
fix: remove unsafe exec() in forc_template.rs#7610orbisai0security wants to merge 1 commit intoFuelLabs:masterfrom
Conversation
Automated security fix generated by Orbis Security AI
PR SummaryMedium Risk Overview Updates template initialization to select the appropriate Reviewed by Cursor Bugbot for commit 57c03a8. Bugbot is set up for automated code reviews on this repo. Configure here. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 57c03a8. Configure here.
| let source = source::git::Source { | ||
| repo: Url::from_str(&command.url)?, | ||
| reference: source::git::Reference::DefaultBranch, | ||
| reference, |
There was a problem hiding this comment.
Misleading "HEAD" log message for tag/rev references
Low Severity
The println_action_green("Resolving", &format!("the HEAD of {}", source.repo)) message is now incorrect when --tag or --rev is specified. Previously, the reference was always DefaultBranch so "the HEAD" was accurate. With the new code paths, when a user passes --rev or --tag, the message still claims to resolve "the HEAD" when it's actually resolving a specific tag or commit hash. This gives users confusing feedback about what operation is being performed.
Reviewed by Cursor Bugbot for commit 57c03a8. Configure here.
| source::git::Reference::Tag(tag.clone()) | ||
| } else { | ||
| source::git::Reference::DefaultBranch | ||
| }; |
There was a problem hiding this comment.
Silently ignores --tag when --rev also provided
Low Severity
The --tag and --rev CLI options lack a conflicts_with declaration, so both can be specified simultaneously. When a user provides both, --rev silently takes priority and --tag is ignored without warning. The codebase already uses conflicts_with for mutually exclusive options (e.g., in shared.rs). Users providing both flags likely have a misconfigured command and deserve a clear error rather than silent precedence.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 57c03a8. Configure here.
1 participant
Summary
Fix critical severity security issue in
forc/src/ops/forc_template.rs.Vulnerability
V-001forc/src/ops/forc_template.rs:44Description: The forc package manager fetches Git-hosted dependencies and templates without cryptographic hash pinning or signature validation. When a developer runs 'forc template' or a dependency fetch, the code in forc_template.rs:44 calls source::git::fetch with a Git URL, and forc-pkg/src/source/mod.rs:347 inserts the fetched package directly into the build pipeline. There is no evidence of content hash verification against a lock file before the fetched code is compiled and executed. This means any attacker who can intercept or redirect the Git fetch (via DNS hijacking, BGP hijacking, or a compromised hosting account) can serve arbitrary malicious code that will be compiled and run on the developer's machine.
Changes
forc/src/ops/forc_template.rsforc/src/cli/commands/template.rsVerification
Automated security fix by OrbisAI Security