gnodet opened a new pull request, #22480:
URL: https://github.com/apache/camel/pull/22480
## Summary
Fix two SonarCloud security hotspots:
- **sonar-scan.yml: Inline composite action and use env var for token**
- Replace `uses: ./.github/actions/install-packages` with inlined
commands. The workflow checks out fork code first, so a composite action
reference resolves to the fork's version, allowing a malicious fork to inject
arbitrary commands.
- Move `SONARCLOUD_TOKEN` from the Maven command line
(`-Dsonar.token=...`) to the `SONAR_TOKEN` environment variable (natively
supported by the sonar-maven-plugin). This prevents the token from being
visible in `/proc/<pid>/cmdline` and from being intercepted by a fork-modified
`./mvnw`.
- **AbstractTaskPredictor.java: Add POSIX temp directory permissions**
- The `Files.createTempDirectory("hf_model")` call creates a temp
directory without restrictive permissions. This directory contains Python
scripts that get executed. On POSIX systems, the directory is now created with
owner-only permissions (rwx------), following the same pattern used in
`DoclingProducer.java`.
## Test plan
- [ ] Verify sonar-scan workflow still runs correctly on a PR (the inlined
commands are identical to the composite action)
- [ ] Verify the huggingface module builds: `mvn install -B -pl
components/camel-ai/camel-huggingface -DskipTests`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
