fix(build): block repo-configured verification commands from executing by ganesh47 · Pull Request #65 · ganesh47/cstack

ganesh47 · 2026-04-23T04:49:58Z

Prevent untrusted repository-local config from supplying verificationCommands that are executed on the host shell during cstack build, which allowed arbitrary command execution.
Preserve existing behavior for verification commands that come from the user or default config while blocking unsafe repo-sourced values.

Add provenance tracking for workflows.build.verificationCommands and verification.defaultCommands in src/types.ts and src/config.ts so sources are recorded as default, user, or repo.
Update loadConfig to populate the new provenance fields by checking workflows.build.verificationCommands and verification.defaultCommands locations in parsed documents in src/config.ts.
Change runBuild in src/commands/build.ts to ignore verification commands whose provenance is repo and only use verification commands from user or default sources, while keeping fallback semantics between workflow-specific and default commands.

Ran npm test -- test/config.test.ts, which passed.
Ran npm run -s typecheck, which passed.
Note: an earlier run of npm test -- test/config.test.ts test/build.test.ts surfaced failures in test/build.test.ts during iterative fixes; the final PR includes only the provenance and build-gating changes and validation above.

fix(build): ignore repo-sourced verification commands

bfa498a

ganesh47 added aardvark codex labels Apr 23, 2026 — with ChatGPT Codex Connector

Provide feedback