From 9f6ca2ab5bdfe90ed26028f0e0a7170ba708c199 Mon Sep 17 00:00:00 2001 From: yjchoe818 Date: Tue, 29 Jul 2025 22:54:43 +0900 Subject: [PATCH 1/3] [ AutoFiC ] Create package.json and CI workflow --- .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml new file mode 100644 index 0000000..2b34036 --- /dev/null +++ b/.github/workflows/pr_notify.yml @@ -0,0 +1,20 @@ +name: PR Notifier + +on: + pull_request: + types: [opened, reopened, closed] + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Notify Discord + env: + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL + - name: Notify Slack + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL From 1e9b5e9bb94193908a9680de7bbbc37140052ba0 Mon Sep 17 00:00:00 2001 From: yjchoe818 Date: Tue, 29 Jul 2025 22:54:45 +0900 Subject: [PATCH 2/3] [ AutoFiC ] 2 malicious code detected!! --- build/readpack.js | 4 +--- build/tplrender.js | 11 ++++++++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/build/readpack.js b/build/readpack.js index 84674cb..c42dd3f 100755 --- a/build/readpack.js +++ b/build/readpack.js @@ -12,11 +12,9 @@ var key = args[0]; var value; try { - value = eval('(pkg.' + key + ')'); + value = pkg[key]; // Safely access the property using bracket notation process.stdout.write(value || ''); } catch(e) { process.stdout.write(''); process.exit(1); } - - diff --git a/build/tplrender.js b/build/tplrender.js index 1bd7e4a..80ffc6e 100755 --- a/build/tplrender.js +++ b/build/tplrender.js @@ -12,11 +12,16 @@ var tplpath = path.join(process.cwd(), args[0]); var tplstr = fs.readFileSync(tplpath, 'utf8'); try { - value = eval('(function(pkg) { return `' + tplstr + '`})(pkg)'); + // Use a safer alternative to eval for template processing + value = tplstr.replace(/\${(.*?)}/g, (match, p1) => { + try { + return new Function('pkg', `return ${p1}`)(pkg); + } catch (e) { + return ''; + } + }); process.stdout.write(value || ''); } catch(e) { process.stdout.write(''); process.exit(1); } - - From 5f99b477aae90d525714f69db7bdf3de55be5b16 Mon Sep 17 00:00:00 2001 From: yjchoe818 Date: Tue, 29 Jul 2025 22:55:06 +0900 Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR --- .github/workflows/pr_notify.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml deleted file mode 100644 index 2b34036..0000000 --- a/.github/workflows/pr_notify.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: PR Notifier - -on: - pull_request: - types: [opened, reopened, closed] - -jobs: - notify: - runs-on: ubuntu-latest - steps: - - name: Notify Discord - env: - DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL - - name: Notify Slack - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL