Skip to content

chore: Added a little dev script to help contributors #4793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jamescrosswell wants to merge 12 commits into
base: main
Choose a base branch
from

fix: Use where.exe on Windows and redirect streams in IsCommandAvaila…

1b2d34a
Select commit
Loading
Failed to load commit list.
Open

chore: Added a little dev script to help contributors #4793

fix: Use where.exe on Windows and redirect streams in IsCommandAvaila…
1b2d34a
Select commit
Loading
Failed to load commit list.
@sentry/warden / warden: find-bugs completed Mar 25, 2026 in 35s

1 issue

find-bugs: Found 1 issue (1 medium)

Medium

Command injection via solution argument on Windows - `dev.cs:53`

The solution command-line argument is interpolated into shell commands without sanitization (lines 53, 113). On Windows, when passed through cmd.exe /c (line 134), special characters like &, |, or > can escape the double-quote wrapping and execute arbitrary commands. For example, ./dev.cs cleanslate 'foo" & calc & "' could execute calc. While this is a local dev script requiring deliberate malicious input, it's a security anti-pattern.

Duration: 34.0s · Tokens: 46.5k in / 1.3k out · Cost: $0.14

Annotations

Check warning on line 53 in dev.cs

See this annotation in the file changed.

@sentry-warden sentry-warden / warden: find-bugs

Command injection via solution argument on Windows 

The `solution` command-line argument is interpolated into shell commands without sanitization (lines 53, 113). On Windows, when passed through `cmd.exe /c` (line 134), special characters like `&`, `|`, or `>` can escape the double-quote wrapping and execute arbitrary commands. For example, `./dev.cs cleanslate 'foo" & calc & "'` could execute `calc`. While this is a local dev script requiring deliberate malicious input, it's a security anti-pattern.
View more details on @sentry/warden