Skip to content

NEW @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key#483

Open
nikhil-mittal-165 wants to merge 1 commit into
devfrom
feature/h1-remove-custom-engine-plugin-modules
Open

NEW @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key#483
nikhil-mittal-165 wants to merge 1 commit into
devfrom
feature/h1-remove-custom-engine-plugin-modules

Conversation

@nikhil-mittal-165

Copy link
Copy Markdown
Contributor

Summary

Removes the hidden custom_engine_plugin_modules configuration key and dynamically loaded engine plugin functionality to eliminate a Remote Code Execution (RCE) vulnerability. This security fix blocks the ability to inject and execute arbitrary code through malicious config files.

GUS Ticket W-23442992 — [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key

Changes

  • Removed custom_engine_plugin_modules hidden config key from CodeAnalyzerConfig
  • Deleted dynamicallyAddEnginePlugin method from CodeAnalyzer prototype
  • Added ConfigObjectContainsInvalidKey error for rejected config keys
  • Config validation now prevents import of malicious plugin modules
  • Updated configuration schema to reject external plugin specifications

Dependencies

None

Test Evidence

Unit tests: code-analyzer-core 435/435 pass (15 suites)
Integration: dreamhouse baseline scan fails with 'config.getCustomEnginePluginModules is not a function' because CLI repo still calls removed API (Category B - CLI needs separate PR)

Security validation PASS:

  1. CodeAnalyzerConfig.fromObject({custom_engine_plugin_modules:['./evil.js']}) throws 'ConfigObjectContainsInvalidKey' as expected
  2. dynamicallyAddEnginePlugin removed from CodeAnalyzer prototype
  3. Malicious code-analyzer.yml with custom_engine_plugin_modules rejected before import() - evil-plugin.js NOT executed, RCE blocked

Known external failures (not blocking): CLI repo (code-analyzer) still calls getCustomEnginePluginModules() in ConfigAction.ts/RulesAction.ts/RunAction.ts - needs separate CLI PR to remove those calls

Test Status: PASS

Fix attempts: 0

…ePlugin (RCE fix)

Remove the undocumented custom_engine_plugin_modules config field and the
dynamicallyAddEnginePlugin method that together enabled arbitrary code
execution via dynamic import of user-controlled paths.

- Remove CUSTOM_ENGINE_PLUGIN_MODULES from FIELDS, TopLevelConfig type,
  DEFAULT_CONFIG, and bypass-validation list so the field is now actively
  rejected by schema validation as an invalid key
- Remove getCustomEnginePluginModules() accessor from CodeAnalyzerConfig
- Remove dynamicallyAddEnginePlugin() method and dynamicallyImport()
  helper from CodeAnalyzer class
- Remove pathToFileURL import (no longer needed)
- Remove FailedToDynamicallyLoadModule and
  FailedToDynamicallyAddEnginePlugin error messages
- Add security tests asserting config rejection and method absence
- Update test fixtures and existing tests for removed functionality
@git2gus

git2gus Bot commented Jul 14, 2026

Copy link
Copy Markdown

Git2Gus App is installed but the .git2gus/config.json doesn't have right values. You should add the required configuration.

@nikhil-mittal-165 nikhil-mittal-165 changed the title @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key NEW @W-23442992@ [Bug Bounty / H1]Salesforce Code Analyzer custom_engine_plugin_modules hidden config key Jul 14, 2026
@nikhil-mittal-165 nikhil-mittal-165 marked this pull request as ready for review July 14, 2026 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant