fix(windows-service): Triple-quote SERVICE_BIN path to prevent injection (CVE-2025-54081)#659
Open
dkgkdfg65 wants to merge 1 commit into
Open
Conversation
(cherry picked from commit f22b00d) Signed-off-by: dkgkdfg65 <219107372+dkgkdfg65@users.noreply.github.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
🔇 Additional comments (1)
Summary by CodeRabbitBug Fixes
演示此 PR 对 Windows 服务安装脚本进行了微调,修改了 变更内容Windows 服务安装参数调整
可能相关的 PR
审查工作量估计🎯 2 (简单) | ⏱️ ~5 分钟 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
qiin2333
added a commit
that referenced
this pull request
May 18, 2026
…atal mode (#662) * ci(driver-deps): fork-friendly vmouse fetch via public mirror + non-fatal mode Fork PRs (e.g. external CVE backports) cannot access org-scoped secrets, so the private repo AlkaidLab/ZakoVirtualMouse download for the vmouse driver fails and aborts CMake configure with FATAL_ERROR. This blocked CI on PR #659 (CVE-2025-54081) even though the patch itself was unrelated to the driver pipeline. Two layered fixes: 1. Public mirror first (cmake/packaging/FetchDriverDeps.cmake): - New cache var VMOUSE_PUBLIC_REPO (default AlkaidLab/zako-vmouse-release). - _fetch_vmouse() now tries the public mirror via plain browser_download_url (no auth) before falling back to the private repo's GitHub API path. Public mirror release tag and asset filenames must match VMOUSE_DRIVER_VERSION. 2. Graceful degradation (DRIVER_DEPS_REQUIRED option): - New option DRIVER_DEPS_REQUIRED (default ON, preserves existing behavior). - When OFF, missing driver files become WARNING instead of FATAL_ERROR, per-driver _CHECK_DRIVER_AVAILABLE cache var is set, and packaging skips the affected driver entirely. - windows.cmake gates each driver's install(FILES ...) on its availability flag. - sunshine.iss.in adds 'skipifsourcedoesntexist' to the vmouse driver wildcard so Inno doesn't abort when the dir is empty. 3. Workflow (.github/workflows/main.yml): - Build Windows step now passes -DDRIVER_DEPS_REQUIRED=${DRIVER_DEPS_REQUIRED}, which evaluates to OFF only when github.event_name == 'pull_request' && head repo is a fork. All other triggers (push, internal PR, release) stay ON. Net effect: fork PRs configure/build/package successfully (just without the vmouse component); internal PRs and release builds are unchanged. * fix: apply CodeRabbit auto-fixes Fixed 1 file(s) based on 1 unresolved review comment. Co-authored-by: CodeRabbit <noreply@coderabbit.ai> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
qiin2333
added a commit
that referenced
this pull request
May 19, 2026
…atal mode (#662) * ci(driver-deps): fork-friendly vmouse fetch via public mirror + non-fatal mode Fork PRs (e.g. external CVE backports) cannot access org-scoped secrets, so the private repo AlkaidLab/ZakoVirtualMouse download for the vmouse driver fails and aborts CMake configure with FATAL_ERROR. This blocked CI on PR #659 (CVE-2025-54081) even though the patch itself was unrelated to the driver pipeline. Two layered fixes: 1. Public mirror first (cmake/packaging/FetchDriverDeps.cmake): - New cache var VMOUSE_PUBLIC_REPO (default AlkaidLab/zako-vmouse-release). - _fetch_vmouse() now tries the public mirror via plain browser_download_url (no auth) before falling back to the private repo's GitHub API path. Public mirror release tag and asset filenames must match VMOUSE_DRIVER_VERSION. 2. Graceful degradation (DRIVER_DEPS_REQUIRED option): - New option DRIVER_DEPS_REQUIRED (default ON, preserves existing behavior). - When OFF, missing driver files become WARNING instead of FATAL_ERROR, per-driver _CHECK_DRIVER_AVAILABLE cache var is set, and packaging skips the affected driver entirely. - windows.cmake gates each driver's install(FILES ...) on its availability flag. - sunshine.iss.in adds 'skipifsourcedoesntexist' to the vmouse driver wildcard so Inno doesn't abort when the dir is empty. 3. Workflow (.github/workflows/main.yml): - Build Windows step now passes -DDRIVER_DEPS_REQUIRED=${DRIVER_DEPS_REQUIRED}, which evaluates to OFF only when github.event_name == 'pull_request' && head repo is a fork. All other triggers (push, internal PR, release) stay ON. Net effect: fork PRs configure/build/package successfully (just without the vmouse component); internal PRs and release builds are unchanged. * fix: apply CodeRabbit auto-fixes Fixed 1 file(s) based on 1 unresolved review comment. Co-authored-by: CodeRabbit <noreply@coderabbit.ai> --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
qiin2333
force-pushed
the
master
branch
2 times, most recently
from
4db4aa3 to
e5579b9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backports upstream LizardByte/Sunshine f22b00d for CVE-2025-54081. one-character fix: wraps
%SERVICE_BIN%in triple quotes ininstall-service.batline 70 sosc createhandles binary paths with spaces correctly.AlkaidLab's variant uses
!SC_CMD!/!SC_START_TYPE!(delayed expansion) instead of upstream's%SC_CMD%, so i kept that style and just added the triple-quote wrapper.upstream: LizardByte@f22b00d
CVE: https://nvd.nist.gov/vuln/detail/CVE-2025-54081
haven't reinstalled the windows service to verify after this — the fix is mechanical and identical in effect to upstream's.