Code Audit: scheduler
Summary
Total issues: 2 (critical: 0, high: 1, medium: 1, low: 0)
One high-severity security vulnerability in crontab entry construction, and one medium-severity bug where a parameter is ignored.
Findings
| File |
Issue Type |
Severity |
Summary |
| src/scheduler/cron.js |
security |
high |
job.command interpolated directly into crontab entries without sanitization — allows crontab format injection via newlines |
| src/scheduler/autoSchedule.js |
bug |
medium |
persistJobFile ignores the cwd parameter and uses module-level SCHEDULES_DIR constant instead |
Remediation Priority
- [High severity security issues]
- Sanitize
job.command to prevent newlines and special characters from breaking crontab format (lines 109, 216, 415 in cron.js)
- [Medium severity bugs]
- Use the
cwd parameter in persistJobFile instead of the module-level SCHEDULES_DIR constant (line 40 in autoSchedule.js)
Code Audit: scheduler
Summary
Total issues: 2 (critical: 0, high: 1, medium: 1, low: 0)
One high-severity security vulnerability in crontab entry construction, and one medium-severity bug where a parameter is ignored.
Findings
job.commandinterpolated directly into crontab entries without sanitization — allows crontab format injection via newlinespersistJobFileignores thecwdparameter and uses module-levelSCHEDULES_DIRconstant insteadRemediation Priority
job.commandto prevent newlines and special characters from breaking crontab format (lines 109, 216, 415 in cron.js)cwdparameter inpersistJobFileinstead of the module-levelSCHEDULES_DIRconstant (line 40 in autoSchedule.js)