mirror of
https://github.com/nexu-io/open-design.git
synced 2026-07-07 14:38:42 +08:00
* fix: V-001 security vulnerability Automated security fix generated by OrbisAI Security * fix: multiple subprocess calls accept user-controlle... in index.ts Multiple subprocess calls accept user-controlled arguments without proper validation or sanitization, allowing attackers to inject shell metacharacters and execute arbitrary commands on the host system * Apply code changes: Hey @orbisai0security — @PerishCode's blocking rev...
30 lines
1.1 KiB
TypeScript
30 lines
1.1 KiB
TypeScript
import assert from "node:assert/strict";
|
|
import { readFile } from "node:fs/promises";
|
|
import path from "node:path";
|
|
import { describe, it } from "node:test";
|
|
import { fileURLToPath } from "node:url";
|
|
|
|
const toolsDevRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
|
|
|
|
describe("runLoggedCommand security: shell injection prevention (V-001)", () => {
|
|
it("spawn is invoked with shell: false to prevent user-controlled argument injection", async () => {
|
|
const src = await readFile(path.join(toolsDevRoot, "src/index.ts"), "utf8");
|
|
|
|
// Security invariant: runLoggedCommand must pass shell: false to spawn.
|
|
// Without this, shell metacharacters in user-controlled args (command or
|
|
// args[]) are interpreted by /bin/sh, enabling arbitrary command execution.
|
|
assert.match(
|
|
src,
|
|
/shell:\s*false/,
|
|
"spawn() in runLoggedCommand must explicitly set shell: false",
|
|
);
|
|
|
|
// Guard against regressions that re-introduce shell: true anywhere in this file.
|
|
assert.doesNotMatch(
|
|
src,
|
|
/shell:\s*true/,
|
|
"No spawn() call in index.ts should set shell: true",
|
|
);
|
|
});
|
|
});
|