Copilot commented on code in PR #37724: URL: https://github.com/apache/shardingsphere/pull/37724#discussion_r2684909437
########## test/native/src/test/resources/test-native/ps1/config-rdctl.ps1: ########## @@ -20,7 +20,7 @@ # This file is only used in the PowerShell 7 of ShardingSphere in GitHub Actions environment and should not be executed manually in a development environment. # Background information can be found at https://github.com/apache/shardingsphere/pull/35905 . iex "& { $(irm https://raw.githubusercontent.com/microsoft/Windows-Containers/refs/heads/Main/helpful_tools/Install-DockerCE/uninstall-docker-ce.ps1) } -Force" -winget install --id jazzdelightsme.WingetPathUpdater --source winget +irm https://raw.githubusercontent.com/jazzdelightsme/WingetPathUpdater/v1.2/WingetPathUpdaterInstall.ps1 | iex Review Comment: Downloading and executing a PowerShell script directly from a third-party GitHub URL via `irm ... | iex` introduces a supply-chain risk in the CI pipeline. If the referenced tag or repository is compromised or changed, an attacker could run arbitrary code in your CI environment with access to secrets and build artifacts. Prefer installing this tool via a trusted package manager with integrity checks, or at least pin to an immutable commit and verify the script’s integrity before execution instead of piping it straight into `iex`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
