fix: remove broken GitHub App install link#912
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
📝 WalkthroughWalkthroughThe CLI now reads the GitHub App install URL from ALTIMATE_CODE_GITHUB_APP_INSTALL_URL (empty by default) and validates it before opening a browser; the test and multiple README/docs links/badge were updated to remove the hardcoded /installations/new reference. ChangesGitHub App install URL config & docs
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
anandgupta42
force-pushed
the
fix/stable-github-app-install-url
branch
from
3f2bf72 to
6aded6e
Compare
anandgupta42
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
packages/opencode/src/cli/cmd/github.ts (1)
337-352:⚠️ Potential issue | 🟠 Major | ⚡ Quick winCommand injection risk from env-controlled install URL.
On Line 337/345-352,
GITHUB_APP_INSTALL_URLcomes fromALTIMATE_CODE_GITHUB_APP_INSTALL_URLand is interpolated into a shell command passed toexec(...). A crafted value with quotes/metacharacters can break out of the quoted URL and execute arbitrary commands.Use non-shell process APIs (
execFile/spawnwith argument arrays) and validate withnew URL(...)+ allowlisted host/path before launching.Suggested hardening
-import { exec } from "child_process" +import { execFile } from "child_process" ... - const command = - process.platform === "darwin" - ? `open "${url}"` - : process.platform === "win32" - ? `start "" "${url}"` - : `xdg-open "${url}"` - - exec(command, (error) => { + let parsed: URL + try { + parsed = new URL(url) + } catch { + s.stop("GitHub app installation URL is invalid.") + throw new UI.CancelledError() + } + if (parsed.protocol !== "https:" || parsed.hostname !== "github.com" || !parsed.pathname.startsWith("/apps/")) { + s.stop("GitHub app installation URL must be a https://github.com/apps/... URL.") + throw new UI.CancelledError() + } + + const [bin, args] = + process.platform === "darwin" + ? ["open", [parsed.toString()]] + : process.platform === "win32" + ? ["rundll32", ["url.dll,FileProtocolHandler", parsed.toString()]] + : ["xdg-open", [parsed.toString()]] + + execFile(bin, args, (error) => { if (error) { prompts.log.warn(`Could not open browser. Please visit: ${url}`) } })🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@packages/opencode/src/cli/cmd/github.ts` around lines 337 - 352, The code builds a shell command using GITHUB_APP_INSTALL_URL and passes it to exec (see the exec call and command variable assembled based on process.platform), which allows command injection; fix by parsing and validating GITHUB_APP_INSTALL_URL with new URL(...) and enforcing an allowlist on hostname/path, then launch the browser without a shell by using execFile or spawn with an argument array (platform-specific handling for "open"/"start"/"xdg-open" commands) instead of interpolating the URL into a shell string; update the code around the command variable, the exec(...) invocation, and any error handling to use the new validated URL and non-shell process API.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@packages/opencode/src/cli/cmd/github.ts`:
- Around line 337-352: The code builds a shell command using
GITHUB_APP_INSTALL_URL and passes it to exec (see the exec call and command
variable assembled based on process.platform), which allows command injection;
fix by parsing and validating GITHUB_APP_INSTALL_URL with new URL(...) and
enforcing an allowlist on hostname/path, then launch the browser without a shell
by using execFile or spawn with an argument array (platform-specific handling
for "open"/"start"/"xdg-open" commands) instead of interpolating the URL into a
shell string; update the code around the command variable, the exec(...)
invocation, and any error handling to use the new validated URL and non-shell
process API.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: 43a90369-b9c8-455b-a944-2bd25d975c4a
📒 Files selected for processing (5)
README.mddocs/docs/usage/dbt-pr-review.mdgithub/README.mdpackages/opencode/src/cli/cmd/github.tspackages/opencode/test/cli/github-action.test.ts
dev-punia-altimate
left a comment
dev-punia-altimate
left a comment
There was a problem hiding this comment.
Multi-Persona Review — Verdict: skipped
Multi-persona review completed.
0/0 agents completed · 2s · 0 findings (0 critical, 0 high, 0 medium)
Multi-Persona Review · vllm:qwen3-next-80b (waves) + vllm-fallback (synth) ·
❌ Tests — Failures DetectedTypeScript — 15 failure(s)
Next StepPlease address the failing cases above and re-run verification. |
🤖 Code Review — OpenCodeReview (Gemini) — No Issues FoundNo comments generated. Looks good to me. |
2 participants
Summary
altimate-code-agentGitHub App links from README/docsALTIMATE_CODE_GITHUB_APP_INSTALL_URLexplicitlyValidation
rg -n "github.com/apps/altimate-code-agent|installations/new|Install GitHub App|Install the GitHub App" README.md docs github packages/opencode/src/cli/cmd/github.ts packages/opencode/test/cli/github-action.test.tsreturned no matchesbun test --timeout 30000 test/cli/github-action.test.ts test/skill/release-v0.8.5-adversarial.test.tsbun run typecheckContext: PR #900 was already merged and released. GitHub returns 404 for
/apps/altimate-code-agent, so this PR removes the broken public link instead of replacing it with another guessed URL.Summary by CodeRabbit
Bug Fixes
Documentation
Tests