fix: use env command for bash array execution [E-1815]#33
Merged
jonathansantilli merged 1 commit intomainfrom Apr 8, 2026
Merged
fix: use env command for bash array execution [E-1815]#33jonathansantilli merged 1 commit intomainfrom
jonathansantilli merged 1 commit intomainfrom
Conversation
…ments The autofixer test suite uses act to run the action locally and replaces npx --yes mobbdev@latest with API_URL=http://... node .../dist/index.mjs via sed. Bash arrays don't support inline VAR=value command syntax (the VAR=value is treated as a command name, not an env var assignment). The env command handles this correctly, passing the variable to the child process. This works for both: - Normal use: env npx --yes mobbdev@latest review ... - Test override: env API_URL=http://... node .../index.mjs review ... Ref: E-1815
|
Kirill89
approved these changes
Apr 8, 2026
2 tasks
jonathansantilli
added a commit
that referenced
this pull request
Apr 8, 2026
…-1815] (#35) * Revert "fix: use env command for array execution to support inline var assignments (#33)" This reverts commit bf76c59. * Revert "fix: prevent shell injection via eval in action.yml and review/action.yml [E-1815] (#31)" This reverts commit a12bce4. * fix: extract URL from mobbdev CLI output The mobbdev CLI now prefixes its output with status messages like "[WebSocket Mode] Using WebSocket subscription..." before the URL. Extract just the https:// URL using grep. Ref: E-1815
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the autofixer test failure introduced by the security fix in PR #31.
The change is a one-line fix in both
action.ymlandreview/action.yml:Root Cause
The autofixer test suite uses
actto run the action locally. It replacesnpx --yes mobbdev@latestwithAPI_URL=http://localhost:8080/v1/graphql node .../dist/index.mjsviased.PR #31 replaced
eval $MobbExecStringwith bash array execution ("${MOBB_ARGS[@]}"). This is correct for security (prevents shell injection), but bash arrays don't support inlineVAR=value commandsyntax, bash treatsAPI_URL=http://...as a command name instead of an env var assignment.The
envcommand handles this correctly:env npx --yes mobbdev@latest review ...— worksenv API_URL=http://... node .../index.mjs review ...— worksTest plan