Skip to content

Potential fix for code scanning alert no. 7: Unvalidated dynamic method call#23

Merged
ialejandro merged 1 commit intomainfrom
fix/alert-autofix-7
Feb 15, 2026
Merged

Potential fix for code scanning alert no. 7: Unvalidated dynamic method call#23
ialejandro merged 1 commit intomainfrom
fix/alert-autofix-7

Conversation

@ialejandro
Copy link
Member

Potential fix for https://github.com/devops-ia/self-learning-platform/security/code-scanning/7

In general, to fix unvalidated dynamic method calls you ensure that: (1) the method name is restricted to a safe set (or at least checked as an own property), (2) the resolved value is verified to be a function, and (3) the invocation is wrapped so that any unexpected exception is handled gracefully instead of crashing the request. In this code, steps (1) and (2) are already implemented when selecting handlerToExecute, but the final call on line 52 is unprotected.

The best minimal fix that preserves existing behavior is to (a) re‑check that handlerToExecute is still a function right before invocation, and (b) wrap the call in a try/catch so that any exception from the handler returns a structured TerminalResponse instead of propagating. This does not require changing how commands are matched or how handlers are defined, and it avoids any new dependencies. Concretely, in src/lib/terminal/simulator.ts, replace the block:

51:   if (handlerToExecute) {
52:     return handlerToExecute(currentCode);
53:   }

with a block that ensures typeof handlerToExecute === "function" and catches errors, mapping them to a non‑crashing terminal output (for example, an error message and non‑zero exit code). No changes are needed in src/app/api/terminal/route.ts.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Iván Alejandro Marugán <hello@ialejandro.rocks>
@ialejandro ialejandro marked this pull request as ready for review February 15, 2026 18:43
@ialejandro ialejandro merged commit d2e5cbc into main Feb 15, 2026
15 checks passed
@ialejandro ialejandro deleted the fix/alert-autofix-7 branch February 15, 2026 19:14
github-actions bot pushed a commit that referenced this pull request Feb 15, 2026
## [1.1.3](v1.1.2...v1.1.3) (2026-02-15)

### Bug Fixes

* Unvalidated dynamic method call ([#23](#23)) ([d2e5cbc](d2e5cbc))
@github-actions
Copy link

🎉 This PR is included in version 1.1.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments