codeant-ai-for-open-source[bot] commented on code in PR #36684:
URL: https://github.com/apache/superset/pull/36684#discussion_r2719189227
##########
superset-frontend/playwright.config.ts:
##########
@@ -117,10 +120,17 @@ export default defineConfig({
// Web server setup - disabled in CI (Flask started separately in workflow)
webServer: process.env.CI
? undefined
- : {
- command: 'curl -f http://localhost:8088/health',
- url: 'http://localhost:8088/health',
- reuseExistingServer: true,
- timeout: 5000,
- },
+ : (() => {
+ // Support custom base URL (e.g., http://localhost:9012/app/prefix/)
+ const baseUrl =
+ process.env.PLAYWRIGHT_BASE_URL || 'http://localhost:8088';
+ // Extract origin (scheme + host + port) for health check
+ const healthUrl = new URL('health', baseUrl).href;
+ return {
+ command: `curl -f ${healthUrl}`,
Review Comment:
**Suggestion:** The shell command string interpolates `healthUrl` directly
into `curl -f ${healthUrl}`; because `healthUrl` is ultimately derived from the
`PLAYWRIGHT_BASE_URL` environment variable, a value containing shell
metacharacters like `;` can break out of the command and execute arbitrary
shell instructions when Playwright starts the webServer, creating a command
injection risk even though it is primarily a test configuration. [security]
<details>
<summary><b>Severity Level:</b> Critical 🚨</summary>
```mdx
- ❌ Arbitrary shell command execution possible via env var.
- ⚠️ Local development environment security risk.
- ⚠️ CI secrets misuse could escalate risk.
```
</details>
```suggestion
command: `curl -f "${healthUrl}"`,
```
<details>
<summary><b>Steps of Reproduction ✅ </b></summary>
```mdx
1. Start tests locally where Playwright uses the webServer config in
superset-frontend/playwright.config.ts (webServer closure around lines
120-136).
2. Export a malicious PLAYWRIGHT_BASE_URL such as:
PLAYWRIGHT_BASE_URL='http://localhost:8088/health; echo hacked > /tmp/pwn'
and run
Playwright. The code constructs healthUrl from the env var and then places
it unquoted
into the shell command at line 130: `command: \`curl -f ${healthUrl}\``.
3. When Playwright executes the webServer command, the unquoted
interpolation allows the
shell to interpret the semicolon and run the appended command, performing
arbitrary
actions (e.g., creating /tmp/pwn). Observe the side-effect on the filesystem
or process
list to confirm command execution.
4. Note: In typical CI the env var is controlled and this is unlikely, but
locally or in a
compromised environment this creates a real command-injection vector
originating from this
config line (superset-frontend/playwright.config.ts:130).
```
</details>
<details>
<summary><b>Prompt for AI Agent 🤖 </b></summary>
```mdx
This is a comment left during a code review.
**Path:** superset-frontend/playwright.config.ts
**Line:** 130:130
**Comment:**
*Security: The shell command string interpolates `healthUrl` directly
into `curl -f ${healthUrl}`; because `healthUrl` is ultimately derived from the
`PLAYWRIGHT_BASE_URL` environment variable, a value containing shell
metacharacters like `;` can break out of the command and execute arbitrary
shell instructions when Playwright starts the webServer, creating a command
injection risk even though it is primarily a test configuration.
Validate the correctness of the flagged issue. If correct, How can I resolve
this? If you propose a fix, implement it and please make it concise.
```
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
