You can get raw data in a repository: https://github.com/Close-Recover/ADS-Code-Test-Results/tree/main
I'll take out the related information as follows:
In modules/dreamview_plus/frontend/packages/dreamview/scripts/gen.js:
path.re ... ../..') 8:23
DREAMVIEW_DIR 8:7
DREAMVIEW_DIR 16:3
`\n${'.. ... PATH}\n` 14:23
generateProto 14:7
generateProto 25:6
and:
path.re ... le.js') 10:37
DREAMVIEW_PROTO_BUNDLE_PATH 10:7
DREAMVI ... LE_PATH 21:34
`\n${'.. ... PATH}\n` 20:29
generateDeclaration 20:7
generateDeclaration 39:10
In these two places, building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities. And I think they are related to CWE-078 (https://cwe.mitre.org/data/definitions/78.html, https://www.kiuwan.com/docs/display/K5/CWE-78+%3A+OS+Command+Injection).
System information
apollo.sh config
if onmaster
branch: root@in-dev-docker:/apollo# ./apollo.sh config [INFO] No rocm-smi found. [INFO] NVIDIA GPU device found. [INFO] Apollo Environment Settings: [INFO] APOLLO_ROOT_DIR: /apollo [INFO] APOLLO_CACHE_DIR: /apollo/.cache [INFO] APOLLO_IN_DOCKER: true [INFO] APOLLO_VERSION: master-2024-05-23-54c820207c [INFO] DOCKER_IMG: dev-x86_64-18.04-20240326_1453 [INFO] APOLLO_ENV: STAGE=dev USE_ESD_CAN=false [INFO] USE_GPU_HOST: 1 [INFO] USE_GPU_TARGET: 1 [INFO] GPU_PLATFORM: NVIDIA [INFO] Configure .apollo.bazelrc in non-interactive mode [INFO] You have bazel 5.2.0 installed. [INFO] Found possible Python library paths: /usr/lib/python3/dist-packages /usr/local/lib/python3.6/dist-packages [INFO] Found CUDA 11.1 in: /usr/local/cuda-11.1/targets/x86_64-linux/lib /usr/local/cuda-11.1/targets/x86_64-linux/include [INFO] Found cuDNN 8 in: /usr/lib/x86_64-linux-gnu /usr/include [INFO] Found TensorRT 7 in: /usr/lib/x86_64-linux-gnu /usr/include/x86_64-linux-gnu [ OK ] Successfully configured .apollo.bazelrc in non-interactive mode. [INFO] Usage: /apollo/scripts/apollo_config.sh [Options] [INFO] Options: [INFO] -i|--interactive Run in interactive mode [INFO] -n|--noninteractive Run in non-interactive mode [INFO] -h|--help Show this message and exitSteps to reproduce the issue:
Supporting materials (screenshots, command lines, code/script snippets):
You can get raw data in a repository:
https://github.com/Close-Recover/ADS-Code-Test-Results/tree/main
I'll take out the related information as follows: Inmodules/dreamview_plus/frontend/packages/dreamview/scripts/gen.js
: path.re ... ../..') 8:23 DREAMVIEW_DIR 8:7 DREAMVIEW_DIR 16:3 `\n${'.. ... PATH}\n` 14:23 generateProto 14:7 generateProto 25:6and: path.re ... le.js') 10:37 DREAMVIEW_PROTO_BUNDLE_PATH 10:7 DREAMVI ... LE_PATH 21:34 `\n${'.. ... PATH}\n` 20:29 generateDeclaration 20:7 generateDeclaration 39:10 In these two places, building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities. And I think they are related to CWE-078 (https://cwe.mitre.org/data/definitions/78.html, https://www.kiuwan.com/docs/display/K5/CWE-78+%3A+OS+Command+Injection).