Skip to content
20 changes: 5 additions & 15 deletions dotnet/private/dotnet_format.bzl
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,8 @@ DOTNET_DIR="$WORKSPACE_ROOT/dotnet"

cd "$DOTNET_DIR"

echo "Running dotnet format $@ on all projects..."
find "$DOTNET_DIR/src" "$DOTNET_DIR/test" -name "*.csproj" 2>/dev/null | while read -r proj; do
echo " Formatting $proj..."
"$DOTNET" format "$@" "$proj" || exit 1
done || exit 1
echo "Running dotnet format $@ on Selenium.slnx..."
"$DOTNET" format "$@" Selenium.slnx || exit 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

2. Workspace arg after options 🐞 Bug ≡ Correctness

dotnet_format appends Selenium.slnx after all forwarded args ($@ / %*), so the solution path
can be consumed as the value for an option that expects a parameter (e.g., --diagnostics) instead
of being treated as the workspace. This can make dotnet format run against an unintended workspace
or fail due to mis-parsed arguments.
Agent Prompt
## Issue description
The wrapper currently runs `dotnet format` with forwarded args first and the workspace (`Selenium.slnx`) last. If the last forwarded argument is an option that requires a value, `Selenium.slnx` can be treated as that value instead of the workspace.

## Issue Context
This target is invoked by other tooling (e.g., rake tasks / format scripts) and forwards arbitrary args to `dotnet format`.

## Fix Focus Areas
- dotnet/private/dotnet_format.bzl[55-56]
- dotnet/private/dotnet_format.bzl[90-91]

## Suggested change
Update both scripts to place the workspace immediately after `format`:
- Unix: `"$DOTNET" format Selenium.slnx "$@" || exit 1`
- Windows: `"%DOTNET%" format Selenium.slnx %* || exit /b 1`

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


echo "Done."
""".format(
Expand Down Expand Up @@ -88,17 +85,10 @@ if defined BUILD_WORKSPACE_DIRECTORY (
)
set DOTNET_DIR=%WORKSPACE_ROOT%\\dotnet

cd /d "%DOTNET_DIR%"
cd /d "%DOTNET_DIR%" || exit /b 1

echo Running dotnet format %* on all projects...
for /r "%DOTNET_DIR%\\src" %%p in (*.csproj) do (
echo Formatting %%p...
"%DOTNET%" format %* "%%p" || exit /b 1
)
for /r "%DOTNET_DIR%\\test" %%p in (*.csproj) do (
echo Formatting %%p...
"%DOTNET%" format %* "%%p" || exit /b 1
)
echo Running dotnet format %* on Selenium.slnx...
"%DOTNET%" format %* Selenium.slnx || exit /b 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Windows %* passed unsafely 📘 Rule violation ⛨ Security

The Windows script forwards %* directly into the dotnet format command, which can be interpreted
by cmd.exe if arguments contain metacharacters like & or |. This violates the safe argument
handling requirement for build/CI scripts.
Agent Prompt
## Issue description
The Windows wrapper uses `%*` directly in a command invocation, which is unsafe in `cmd.exe` because metacharacters in forwarded arguments can alter command parsing.

## Issue Context
This script is an executable entrypoint; forwarded args should be either disallowed, strictly validated/whitelisted, or passed via a safer mechanism (e.g., only known flags, response file, or controlled argument construction).

## Fix Focus Areas
- dotnet/private/dotnet_format.bzl[91-91]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


echo Done.
""".format(
Expand Down
Loading