Instead of manually updating the version, reason from plugin.json#164
Instead of manually updating the version, reason from plugin.json#164Rajat-Dabade merged 4 commits intomainfrom
Conversation
Rajat-Dabade
requested review from
harshilsharma63,
hmhealey and
yasserfaraazkhan
Rajat-Dabade
added
2: Dev Review
marianunez
left a comment
marianunez
left a comment
There was a problem hiding this comment.
@Rajat-Dabade we would also need to remove it from the plugin.json so the build process of the bundle can generate it and set from the tag - removing that manual step. See example: mattermost/mattermost-plugin-msteams-meetings#169
|
We'd still need to make the other changes, for example, from this PR - https://github.com/mattermost/mattermost-plugin-boards/pull/156/changes right? |
- mattermost#159: Bump lodash 4.17.21 → 4.17.23 (Prototype Pollution fix, SNYK-JS-LODASH-15053838) - mattermost#164: Read versionString from plugin.json manifest instead of hardcoding Cherry-picked from mattermost/mattermost-plugin-boards
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing touches🧪 Generate unit tests (beta)
Comment |
🟡 Please give this pull request extra attention during review.This pull request introduces multiple build-time injection risks: the Makefile in build/setup.mk unsafely interpolates git outputs into a shell command (allowing command injection), and the build/manifest tool writes unescaped manifest data into a JS template literal (allowing code injection / XSS via backticks, ${ sequences, or closing script patterns). Together these flaws can let malicious git tags or manifest fields execute arbitrary shell commands during builds or arbitrary JavaScript in the webapp.
🟡 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The generator embeds the raw JSON text into a JavaScript source-level template using backtick-delimited string interpolation without fully escaping characters that can break out of the JS template context. The code only replaces literal newline escape sequences (\n -> \\n) but does not escape backticks (`), ${ sequence, or closing </script> patterns that can lead to executable injection when the generated file is served to a browser. Since manifest fields (homepage_url, release_notes_url, name, description, etc.) can originate from external inputs (or in some build setups be influenced by tags or repo data), an attacker-controlled value containing a backtick or a template substitution sequence could terminate or alter the JS and inject code, resulting in XSS. |
mattermost-plugin-boards/build/manifest/main.go
Lines 191 to 194 in 96b8f4f
Command Injection in Build Process in build/setup.mk
| Vulnerability | Command Injection in Build Process |
|---|---|
| Description | The Makefile in build/setup.mk executes a shell command using $(shell ...) to compile the manifest tool. During this process, it interpolates the output of git describe and git tag directly into the -ldflags argument of the go build command. Because Make variables are expanded as raw strings without any shell escaping, a maliciously crafted git tag (e.g., containing single quotes, semicolons, or backticks) can break out of the command's quoting and execute arbitrary shell commands on the build system. This affects any environment where make is run, including CI/CD runners and developer machines. |
mattermost-plugin-boards/build/setup.mk
Lines 13 to 16 in 96b8f4f
Build-time Code Injection in build/manifest/main.go
| Vulnerability | Build-time Code Injection |
|---|---|
| Description | The build/manifest tool generates a TypeScript file (webapp/src/manifest.ts) by interpolating a JSON-marshaled manifest into a JavaScript template literal. The tool fails to escape backticks () and the interpolation sequence (${) which are special characters in JavaScript template literals. If any field in the manifest (such as version, which can be derived from git tags, or name/descriptionfromplugin.json) contains these characters, they will be executed as arbitrary JavaScript when the webapp loads the manifest. For example, a version tag like v1.0.0-${alert(1)}` would trigger an execution in the browser of any user using the plugin. |
mattermost-plugin-boards/build/manifest/main.go
Lines 196 to 199 in 96b8f4f
All finding details can be found in the DryRun Security Dashboard.
|
For testing this one, we just need to validate the version when it's built from the tag at release time so we can do this post merge @yasserfaraazkhan |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
@harshilsharma63 everything is now taken care of. |
| import manifest from '../../plugin.json' | ||
| // This file is automatically generated. Do not modify it manually. | ||
|
|
||
| const manifest = JSON.parse(` |
There was a problem hiding this comment.
Not sure whats the reason behind this change. Can you add code comment explaining why we cannot import plugin.json as I think someone will be confused in the future as well.
There was a problem hiding this comment.
Added the comments.
There was a problem hiding this comment.
Ah, got it. It's an autogenerated file.
3 participants
Summary
Removed the need to manually update the board version in different parts of the code. Now, the version is automatically read from the plugin.json file and used everywhere.
Ticket Link
https://mattermost.atlassian.net/browse/MM-67360
Summary by CodeRabbit