From 331d9bd357527a206ba518b1e43af89365c86aae Mon Sep 17 00:00:00 2001 From: mikael-lovqvists-claude-agent Date: Thu, 5 Mar 2026 19:12:57 +0000 Subject: [PATCH] Fix shell injection: use execFileSync with arg arrays instead of execSync with interpolated strings --- test/lib/setup.mjs | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/test/lib/setup.mjs b/test/lib/setup.mjs index 4b622f8..5c4af83 100644 --- a/test/lib/setup.mjs +++ b/test/lib/setup.mjs @@ -1,34 +1,31 @@ -import { execSync, spawn } from 'node:child_process'; -import { mkdtempSync, mkdirSync } from 'node:fs'; -import { tmpdir } from 'node:os'; +import { execFileSync, spawn } from 'node:child_process'; import { join } from 'node:path'; const FA2JSON = new URL('../../build/fa2json', import.meta.url).pathname; export async function setup() { // Create image file and format - const img = execSync('mktemp /tmp/fa2json-test-XXXXXX.img').toString().trim(); - execSync(`truncate -s 10M ${img}`); - execSync(`mkfs.ext4 -q ${img}`); + const img = execFileSync('mktemp', ['/tmp/fa2json-test-XXXXXX.img']).toString().trim(); + execFileSync('truncate', ['-s', '10M', img]); + execFileSync('mkfs.ext4', ['-q', img]); // Create mount point and mount - const mnt = execSync('mktemp -d /tmp/fa2json-mnt-XXXXXX').toString().trim(); - execSync(`sudo mount ${img} ${mnt}`); + const mnt = execFileSync('mktemp', ['-d', '/tmp/fa2json-mnt-XXXXXX']).toString().trim(); + execFileSync('sudo', ['mount', img, mnt]); // Hand ownership to current user, then sync before fa2json starts - execSync(`sudo chown ${process.getuid()} ${mnt}`); - execSync('sync'); + execFileSync('sudo', ['chown', String(process.getuid()), mnt]); + execFileSync('sync'); async function teardown() { - try { execSync(`sudo umount ${mnt}`); } catch {} - try { execSync(`rm -f ${img}`); } catch {} - try { execSync(`rmdir ${mnt}`); } catch {} + try { execFileSync('sudo', ['umount', mnt]); } catch {} + try { execFileSync('rm', ['-f', img]); } catch {} + try { execFileSync('rmdir', [mnt]); } catch {} } return { img, mnt, teardown }; } export function spawnFa2json(mnt) { - const proc = spawn('sudo', [FA2JSON, mnt], { stdio: ['ignore', 'pipe', 'inherit'] }); - return proc; + return spawn('sudo', [FA2JSON, mnt], { stdio: ['ignore', 'pipe', 'inherit'] }); }