Merge pull request #4 from squaredup/INT-001-Code-alerts

TimWheeler-SQUP · web-flow · commit 7e97190c9856 · 2026-03-09T14:27:40.000Z
INT-001-Code-Alert update
diff --git a/src/Config/config.js b/src/Config/config.js
@@ -1,4 +1,3 @@
-// This is a fake AWS Access Key and Secret Key for testing Secret Scanning.
-// GitHub will identify the pattern and flag it as a "Critical" alert.
-const AWS_ACCESS_KEY_ID = "AKIA1234567890EXAMPLE";
-const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
+// AWS Access Key and Secret Key for testing Secret Scanning.
+const AWS_ACCESS_KEY_ID = "AKIA12345678907890";
+const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYRGR444";
diff --git a/src/utils/child_process.ts b/src/utils/child_process.ts
@@ -1,13 +1,8 @@
 import { exec } from 'child_process';
 
-/**
- * This function is intentionally vulnerable to Command Injection.
- * CodeQL (GitHub Code Scanning) should flag the use of `exec` 
- * with a variable that could contain malicious commands.
+/* CodeQL (GitHub Code Scanning) should flag the use of `exec` with untrusted input as a "Critical" alert for Command Injection.
  */
 export function runUserCommand(userInput: string) {
-  // Vulnerability: `userInput` is passed directly to the shell.
-  // An attacker could provide "ls; rm -rf /" to execute arbitrary commands.
   exec(`echo ${userInput}`, (error, stdout, stderr) => {
     if (error) {
       console.error(`Error: ${error.message}`);
