Fix shell injection: use execFileSync with arg arrays instead of execSync with interpolated strings

test/lib/setup.mjs

@@ -1,34 +1,31 @@
-import { execSync, spawn } from 'node:child_process';
+import { execFileSync, spawn } from 'node:child_process';
-import { mkdtempSync, mkdirSync } from 'node:fs';
-import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 
 const FA2JSON = new URL('../../build/fa2json', import.meta.url).pathname;
 
 export async function setup() {
 	// Create image file and format
-	const img = execSync('mktemp /tmp/fa2json-test-XXXXXX.img').toString().trim();
+	const img = execFileSync('mktemp', ['/tmp/fa2json-test-XXXXXX.img']).toString().trim();
-	execSync(`truncate -s 10M ${img}`);
+	execFileSync('truncate', ['-s', '10M', img]);
-	execSync(`mkfs.ext4 -q ${img}`);
+	execFileSync('mkfs.ext4', ['-q', img]);
 
 	// Create mount point and mount
-	const mnt = execSync('mktemp -d /tmp/fa2json-mnt-XXXXXX').toString().trim();
+	const mnt = execFileSync('mktemp', ['-d', '/tmp/fa2json-mnt-XXXXXX']).toString().trim();
-	execSync(`sudo mount ${img} ${mnt}`);
+	execFileSync('sudo', ['mount', img, mnt]);
 
 	// Hand ownership to current user, then sync before fa2json starts
-	execSync(`sudo chown ${process.getuid()} ${mnt}`);
+	execFileSync('sudo', ['chown', String(process.getuid()), mnt]);
-	execSync('sync');
+	execFileSync('sync');
 
 	async function teardown() {
-		try { execSync(`sudo umount ${mnt}`); } catch {}
+		try { execFileSync('sudo', ['umount', mnt]); } catch {}
-		try { execSync(`rm -f ${img}`); } catch {}
+		try { execFileSync('rm', ['-f', img]); } catch {}
-		try { execSync(`rmdir ${mnt}`); } catch {}
+		try { execFileSync('rmdir', [mnt]); } catch {}
 	}
 
 	return { img, mnt, teardown };
 }
 
 export function spawnFa2json(mnt) {
-	const proc = spawn('sudo', [FA2JSON, mnt], { stdio: ['ignore', 'pipe', 'inherit'] });
+	return spawn('sudo', [FA2JSON, mnt], { stdio: ['ignore', 'pipe', 'inherit'] });
-	return proc;
 }