Skip to content

chore: Added a little dev script to help contributors #4793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jamescrosswell wants to merge 12 commits into
base: main
Choose a base branch
from

Review feedback

31dbe11
Select commit
Loading
Failed to load commit list.
Open

chore: Added a little dev script to help contributors #4793

Review feedback
31dbe11
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: find-bugs completed Mar 18, 2026 in 37s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Command injection via solution argument on Windows - `dev.cs:53`

The solution argument in CleanSlateAsync and SolutionRestoreAsync is interpolated into a command string with only double-quote escaping. On Windows, when the command is routed through cmd.exe /c (lines 130-136), an attacker can escape the quotes using characters like " & malicious_command &. For example, a solution argument of test" & calc & echo " would execute arbitrary commands. While this is a dev helper script and the risk is limited to developers running it manually, it violates secure coding practices for command execution.

Duration: 37.0s · Tokens: 35.0k in / 1.4k out · Cost: $0.14 (+extraction: $0.00)

Annotations

Check warning on line 53 in dev.cs

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: find-bugs

Command injection via solution argument on Windows 

The `solution` argument in `CleanSlateAsync` and `SolutionRestoreAsync` is interpolated into a command string with only double-quote escaping. On Windows, when the command is routed through `cmd.exe /c` (lines 130-136), an attacker can escape the quotes using characters like `" & malicious_command &`. For example, a solution argument of `test" & calc & echo "` would execute arbitrary commands. While this is a dev helper script and the risk is limited to developers running it manually, it violates secure coding practices for command execution.
View more details on @sentry/warden