github · agency-orchestratorHEAD

Evidence

export function parseWorkflow(filePath: string): WorkflowDefinition {

  const raw = readFileSync(filePath, 'utf-8');

  const doc = yaml.load(raw) as Record<string, unknown>;

  // 基本校验

  if (!doc || typeof doc !== 'object') {

Remediation

Replace pickle with json/msgpack or a schema-validated format (protobuf, cap'n proto). Use yaml.safe_load instead of yaml.load. Never deserialize data from an untrusted source with these APIs.

Evidence

return files.map(f => {

    try {

      const content = readFileSync(f, 'utf-8');

      const doc = yaml.load(content) as Record<string, unknown>;

      return {

        file: relative(process.cwd(), f),

        name: (doc?.name as string) || '(unnamed)',

Remediation

Replace pickle with json/msgpack or a schema-validated format (protobuf, cap'n proto). Use yaml.safe_load instead of yaml.load. Never deserialize data from an untrusted source with these APIs.

Evidence

return files.map(f => {

    try {

      const content = readFileSync(f, 'utf-8');

      const doc = yaml.load(content) as Record<string, unknown>;

      return {

        file: relative(process.cwd(), f),

        name: (doc?.name as string) || '(unnamed)',

Remediation

Replace pickle with json/msgpack or a schema-validated format (protobuf, cap'n proto). Use yaml.safe_load instead of yaml.load. Never deserialize data from an untrusted source with these APIs.

Evidence

- name: Deploy to Splunk

        run: |

          # Push compiled rules via Splunk REST API

          curl -k -u "${{ secrets.SPLUNK_USER }}:${{ secrets.SPLUNK_PASS }}" \

            https://${{ secrets.SPLUNK_HOST }}:8089/servicesNS/admin/search/saved/searches \

            -d @compiled/splunk/rules.conf

Remediation

Drop the verify-disable flag. If the peer presents a private CA: - Python: pass `verify="/path/to/ca.pem"` or trust the system store - Node: `new https.Agent({ ca: fs.readFileSync("ca.pem") })` - Go: load the CA via `x509.NewCertPool().AppendCertsFromPEM(...)` and set `tls.Config.RootCAs` Self-signed certificates: import the cert into the OS trust chain rather than disabling verification per-call.

Evidence

if (args[i] === '--input' || args[i] === '-i') {

      const pair = args[++i];

      if (!pair) {

        console.error('--input 需要 key=value 参数');

        process.exit(1);

      }

      const eqIdx = pair.indexOf('=');

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

}

      const eqIdx = pair.indexOf('=');

      if (eqIdx < 1) {

        console.error(`无效的 input 格式: ${pair} (应为 key=value)`);

        process.exit(1);

      }

      const key = pair.slice(0, eqIdx);

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async function handleRun(): Promise<void> {

  const filePath = args[1];

  if (!filePath) {

    console.error('用法: ao run <workflow.yaml> [--input key=value ...]');

    process.exit(1);

  }

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

app.use('/webhook/event', lark.adaptExpress(eventDispatcher));

app.use('/webhook/card', lark.adaptExpress(cardActionHandler));

app.listen(3000, () => console.log('Feishu event service started'));

```

### Bitable Operations

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

"-af", "loudnorm=I=-16:TP=-1.5:LRA=11",  # EBU R128 loudness normalization

        output_path

    ]

    subprocess.run(cmd, check=True, capture_output=True)

    return output_path

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

const controller = new AbortController();

    const timeout = setTimeout(() => controller.abort(), 2000);

    const ollamaUrl = process.env.OLLAMA_BASE_URL || 'http://localhost:11434';

    const res = await fetch(`${ollamaUrl.replace(/\/+$/, '')}/api/tags`, {

      signal: controller.signal,

    });

    clearTimeout(timeout);

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

"""Fetch and parse raw messages, preserving full MIME structure."""

    messages = []

    for msg_id in thread_ids:

        _, data = imap_conn.fetch(msg_id, "(RFC822)")

        raw = data[0][1]

        parsed = email.message_from_bytes(raw, policy=policy.default)

        messages.append({

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

'plan_workflow',

    'Show the DAG execution plan for a workflow',

    {

      path: z.string().describe('Path to workflow YAML file'),

    },

    async ({ path: workflowPath }) => {

      try {

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

'validate_workflow',

    'Validate a workflow YAML without executing',

    {

      path: z.string().describe('Path to workflow YAML file'),

    },

    async ({ path: workflowPath }) => {

      try {

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

'validate_workflow',

    'Validate a workflow YAML without executing',

    {

      path: z.string().describe('Path to workflow YAML file'),

    },

    async ({ path: workflowPath }) => {

      try {

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

'run_workflow',

    'Execute a YAML workflow with the DAG engine',

    {

      path: z.string().describe('Path to workflow YAML file'),

      inputs: z.record(z.string(), z.string()).optional().describe('Key-value input variables'),

      provider: z.enum(['claude-code', 'gemini-cli', 'copilot-cli', 'codex-cli', 'openclaw-cli', 'hermes-cli', 'deepseek', 'claude', 'openai', 'ollama']).optional().describe('Override LLM provider'),

      model: z.string().optional().describe('Override model name'),

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

'run_workflow',

    'Execute a YAML workflow with the DAG engine',

    {

      path: z.string().describe('Path to workflow YAML file'),

      inputs: z.record(z.string()).optional().describe('Key-value input variables'),

      provider: z.enum(['deepseek', 'claude', 'openai', 'ollama']).optional().describe('Override LLM provider'),

      model: z.string().optional().describe('Override model name'),

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

'plan_workflow',

    'Show the DAG execution plan for a workflow',

    {

      path: z.string().describe('Path to workflow YAML file'),

    },

    async ({ path: workflowPath }) => {

      try {

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

name: Validate agent frontmatter and structure

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

        with:

          fetch-depth: 0

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v4

      - name: Setup Node.js ${{ matrix.node-version }}

        uses: actions/setup-node@v4

        with:

          node-version: ${{ matrix.node-version }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

node-version: [20, 22]

    steps:

      - uses: actions/checkout@v4

      - name: Setup Node.js ${{ matrix.node-version }}

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

killed = true;

            child.kill('SIGTERM');

            // SIGTERM 后 5s 仍未退出则强制 SIGKILL，防止僵尸进程

            setTimeout(() => { try { child.kill('SIGKILL'); } catch {} }, 5000);

          }, timeout)

        : null;

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

return await this._exec(args, userMessage, timeout);

    } finally {

      if (systemPromptFile) {

        try { unlinkSync(systemPromptFile); } catch {}

      }

    }

  }

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

const timer = setTimeout(() => {

        killed = true;

        child.kill('SIGTERM');

        setTimeout(() => { try { child.kill('SIGKILL'); } catch {} }, 5000);

      }, timeout);

      child.stdout!.on('data', (chunk: Buffer) => {

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.