Action brief from the marketplace-wide review (see docs/review-2026-06-20.md). Three shell/path
injection sinks: F-1 CRITICAL zero-interaction RCE in git-forensics.mjs (execSync shell string +
attacker-controlled filenames; reproduced), F-2 HIGH path-containment write in auto-cleaner.mjs,
F-3 HIGH command injection in the supply-chain hook. Common fix: execSync(string) -> spawnSync(array)
/ input containment. DO AFTER the current active session finishes.
Disclosure hold: this brief + review-2026-06-20.md (
|
||
|---|---|---|
| .. | ||
| plans | ||
| ci-cd-guide.md | ||
| critical-review-2026-04-20.md | ||
| defense-philosophy.md | ||
| review-2026-06-20.md | ||
| scanner-reference.md | ||
| security-fix-brief-2026-06-20.md | ||
| security-hardening-guide.md | ||
| version-history.md | ||