Skip to content

NEW @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key#2066

Open
nikhil-mittal-165 wants to merge 2 commits into
devfrom
feature/W-23442992-remove-custom-engine-plugin-modules
Open

NEW @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key#2066
nikhil-mittal-165 wants to merge 2 commits into
devfrom
feature/W-23442992-remove-custom-engine-plugin-modules

Conversation

@nikhil-mittal-165

Copy link
Copy Markdown
Contributor

No description provided.

@aruntyagiTutu aruntyagiTutu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

APPROVED — correctly stops the CLI from invoking the vulnerable dynamic-plugin-loading API, closing this repo's side of the RCE (companion to code-analyzer-core#483).

Review Against Guidelines ✅

5. Architecture ✅ — Removes all three call sites (ConfigAction, RulesAction, RunAction) that fed custom_engine_plugin_modules into core.dynamicallyAddEnginePlugin. Also cleans up the now-obsolete TODO comments that referenced the removed hidden feature.

Correctness ✅ — Since this only deletes calls to core APIs rather than depending on their removal, it compiles and functions correctly even before code-analyzer-core bumps its version to include #483 — a safe, independently-deployable mitigation.

8. PR Hygiene ⚠️ (non-blocking) — The PR description is empty. Given this is explicitly a security fix paired with forcedotcom/code-analyzer-core#483 for the same GUS ticket (W-23442992), it would help future readers (and anyone auditing the bug bounty fix) to state the summary and link the companion PR directly, per the guide's "reference related PRs" guidance. Worth adding before merge, but not a blocker since the commit title and code are self-explanatory.

13. Dependency Management — Note for follow-up: once code-analyzer-core#483 merges and releases, this repo's @salesforce/code-analyzer-core dependency (currently 0.49.0) should be bumped so the hidden config key/method are fully removed end-to-end rather than just unused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants