Skip to content

Address PR review comments: fix security vulnerabilities and improve error handling #342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
RetricSu merged 3 commits into from
Dec 24, 2025
Merged

Address PR review comments: fix security vulnerabilities and improve error handling #342

RetricSu merged 3 commits into from
Dec 24, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 24, 2025
edited
Loading

Addresses 14 review comments from the copilot-pull-request-reviewer on PR #323, focusing on security vulnerabilities, error handling, and code quality improvements.

Security Fixes

  • Command injection vulnerability: Changed run() method from shell string execution to direct argument passing 
    // Before: vulnerable to injection via args
spawnSync(command, { stdio: 'inherit', shell: true });

// After: safe argument passing
spawnSync(binaryPath, args, { stdio: 'inherit' });
  • URL manipulation prevention: Added regex validation for version strings (/^v\d+\.\d+\.\d+$/)
  • Socket resource leak: Added 5-second timeout with proper cleanup for RPC port checks

Error Handling

  • Archive cleanup moved to finally block to ensure removal even on extraction failure
  • Binary extraction validation added with explicit error message
  • Enhanced error messages with actionable guidance (network connectivity, permissions, version availability)

Platform Support

  • Added macOS x64 architecture support (previously ARM64-only)
  • Fixed binary name detection to match extracted archive names across platforms (ARM64, x64, Windows)

Code Quality

  • Removed redundant runWithArgs() method
  • Changed require('net') to ES6 import * as net
  • Network validation uses Object.values(Network) enum instead of hardcoded strings
  • Added await for async status() function call
  • Removed obsolete TODO comment

Minor Fixes

  • Fixed README heading capitalization: "Watch Network with TUI"
  • Added package-lock.json to .gitignore

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI mentioned this pull request Dec 24, 2025
Draft
Copilot AI and others added 2 commits December 24, 2025 22:01
@RetricSu
Address PR review comments - fix security, correctness, and style issues
d635435 
Co-authored-by: RetricSu <23436060+RetricSu@users.noreply.github.com>
@RetricSu
Remove TODO comment and use Network enum for validation
945b5bc 
Co-authored-by: RetricSu <23436060+RetricSu@users.noreply.github.com>
Copilot AI changed the title [WIP] Add status command with ckb-tui integration Address PR review comments: fix security vulnerabilities and improve error handling Dec 24, 2025
Copilot AI requested a review from RetricSu December 24, 2025 22:06
@RetricSu RetricSu marked this pull request as ready for review December 24, 2025 22:16
@RetricSu RetricSu merged commit 801836e into integrate-tui Dec 24, 2025
1 check failed
@RetricSu RetricSu deleted the copilot/sub-pr-323 branch December 24, 2025 22:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RetricSu RetricSu Awaiting requested review from RetricSu

Assignees

@RetricSu RetricSu

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RetricSu