Skip to content

chore: Added a little dev script to help contributors #4793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jamescrosswell wants to merge 12 commits into
base: main
Choose a base branch
from

fix: Use where.exe on Windows and redirect streams in IsCommandAvaila…

1b2d34a
Select commit
Loading
Failed to load commit list.
Open

chore: Added a little dev script to help contributors #4793

fix: Use where.exe on Windows and redirect streams in IsCommandAvaila…
1b2d34a
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden completed Mar 25, 2026 in 39s

1 issue

Medium

Command injection via solution argument on Windows - `dev.cs:53`

The solution command-line argument is interpolated into shell commands without sanitization (lines 53, 113). On Windows, when passed through cmd.exe /c (line 134), special characters like &, |, or > can escape the double-quote wrapping and execute arbitrary commands. For example, ./dev.cs cleanslate 'foo" & calc & "' could execute calc. While this is a local dev script requiring deliberate malicious input, it's a security anti-pattern.

4 skills analyzed
Skill Findings Duration Cost
code-review 0 34.3s $0.12
find-bugs 1 34.0s $0.14
gha-security-review 0 12.9s $0.08
security-review 0 26.8s $0.13

Duration: 1m 48s · Tokens: 142.5k in / 3.4k out · Cost: $0.48 (+dedup: $0.01, +extraction: $0.00)

View more details on @sentry/warden