chore(seed): Adjust devbox and scripts to enable seed --local for all sdk generators#14709
chore(seed): Adjust devbox and scripts to enable seed --local for all sdk generators#14709
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
🌱 Seed Test SelectorSelect languages to run seed tests for:
How to use: Click the ⋯ menu above → "Edit" → check the boxes you want → click "Update comment". Tests will run automatically and snapshots will be committed to this PR. |
![hex-security-app[bot]](https://avatars.githubusercontent.com/in/2665233?s=60&v=4){kind=small}
| "export PATH=\"$(go env GOPATH)/bin:$PATH\"", | ||
| "command -v golangci-lint &>/dev/null || { echo 'Installing golangci-lint...'; go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.10.1 2>/dev/null || true; }", | ||
| "mkdir -p \"$HOME/.local/bin\"", | ||
| "if [ ! -f \"$HOME/.local/bin/composer\" ]; then echo 'Installing composer...'; curl -sSL https://getcomposer.org/download/latest-2.x/composer.phar -o \"$HOME/.local/bin/composer\" && chmod +x \"$HOME/.local/bin/composer\"; fi", |
There was a problem hiding this comment.
Two PHP PHAR executables are downloaded via curl -sSL … | chmod +x with no integrity check (no --sha256 or signature verification). The latest-2.x URL path for composer is mutable — it resolves to whatever the server currently serves. If either getcomposer.org or cs.symfony.com is compromised, or if DNS/routing is hijacked, a malicious PHP executable will be silently installed and placed on $PATH of every developer who initialises this devbox, giving the attacker arbitrary code execution on their machine. The once-written guard ([ ! -f … ]) prevents re-download but provides no tamper detection after the fact.
Prompt To Fix With AI
Pin the composer and php-cs-fixer downloads to a specific, immutable release URL and verify a SHA-256 checksum before making the file executable. For example:
```bash
# Composer: pin to a specific version and verify checksum
COMPOSER_VERSION="2.8.4"
COMPOSER_EXPECTED_SHA="<sha256 from https://getcomposer.org/download/${COMPOSER_VERSION}/composer.phar.sha256sum>"
if [ ! -f "$HOME/.local/bin/composer" ]; then
curl -sSL "https://getcomposer.org/download/${COMPOSER_VERSION}/composer.phar" -o "$HOME/.local/bin/composer"
echo "${COMPOSER_EXPECTED_SHA} $HOME/.local/bin/composer" | sha256sum -c - || { rm "$HOME/.local/bin/composer"; echo 'Composer checksum mismatch!'; exit 1; }
chmod +x "$HOME/.local/bin/composer"
fi
# php-cs-fixer: similarly pin to a versioned URL
PHP_CS_FIXER_VERSION="v3.65.0"
PHP_CS_FIXER_EXPECTED_SHA="<sha256 from the release>"
if [ ! -f "$HOME/.local/bin/php-cs-fixer" ]; then
curl -sSL "https://github.com/PHP-CS-Fixer/PHP-CS-Fixer/releases/download/${PHP_CS_FIXER_VERSION}/php-cs-fixer.phar" -o "$HOME/.local/bin/php-cs-fixer"
echo "${PHP_CS_FIXER_EXPECTED_SHA} $HOME/.local/bin/php-cs-fixer" | sha256sum -c - || { rm "$HOME/.local/bin/php-cs-fixer"; echo 'php-cs-fixer checksum mismatch!'; exit 1; }
chmod +x "$HOME/.local/bin/php-cs-fixer"
fi
```
Update the expected SHAs any time you bump the version. This eliminates the mutable-URL risk and detects tampering of already-cached files.Severity: medium | Confidence: 80%
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
SDK Generation Benchmark ResultsComparing PR branch against Full benchmark table (click to expand)
main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via |
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Co-authored-by: graphite-app[bot] <96075541+graphite-app[bot]@users.noreply.github.com>
| env_paths = os.environ.get("FERN_CORE_UTILITIES_PATH") | ||
| if env_paths is not None: | ||
| for source in env_paths.split(":"): | ||
| if os.path.exists(os.path.join(source, relative_filepath)): | ||
| return source | ||
| return env_paths.split(":")[0] |
There was a problem hiding this comment.
Fallback returns first path even when file doesn't exist in any path. If FERN_CORE_UTILITIES_PATH contains multiple colon-separated paths but relative_filepath doesn't exist in any of them, line 343 returns the first path regardless. This will cause file-not-found errors downstream.
Should raise an error or return a default when no valid path is found:
if env_paths is not None:
for source in env_paths.split(":"):
if os.path.exists(os.path.join(source, relative_filepath)):
return source
# File not found in any provided path - fall through to default behaviorRemove line 343 to fall through to the default logic instead of blindly returning an invalid path.
| env_paths = os.environ.get("FERN_CORE_UTILITIES_PATH") | |
| if env_paths is not None: | |
| for source in env_paths.split(":"): | |
| if os.path.exists(os.path.join(source, relative_filepath)): | |
| return source | |
| return env_paths.split(":")[0] | |
| env_paths = os.environ.get("FERN_CORE_UTILITIES_PATH") | |
| if env_paths is not None: | |
| for source in env_paths.split(":"): | |
| if os.path.exists(os.path.join(source, relative_filepath)): | |
| return source |
Spotted by Graphite
Is this helpful? React 👍 or 👎 to let us know.
SDK Generation Benchmark ResultsComparing PR branch against latest nightly baseline on Full benchmark table (click to expand)
main (generator): generator-only time via --skip-scripts (includes Docker image build, container startup, IR parsing, and code generation — this is the same Docker-based flow customers use via |
2 participants
Uh oh!
There was an error while loading. Please reload this page.