airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: use spawnSync to avoid command injection risks

Browse Source 
Replace execSync with shell string interpolation with spawnSync and
array arguments. This eliminates potential command injection if paths
contain special characters.
This commit is contained in:
Dmitry Guyvoronsky
2025-11-25 16:57:10 -08:00
parent 2a2206d886
commit a48a67ca76
2 changed files with 14 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/smart-install.js
+7 -5
View File
@@ -12,7 +12,7 @@
*/ */
import { existsSync, readFileSync, writeFileSync } from 'fs'; import { existsSync, readFileSync, writeFileSync } from 'fs';
import { execSync } from 'child_process'; import { execSync, spawnSync } from 'child_process';
import { join, dirname } from 'path'; import { join, dirname } from 'path';
import { fileURLToPath } from 'url'; import { fileURLToPath } from 'url';
@@ -270,13 +270,15 @@ async function main() {
const pm2Command = existsSync(localPm2Cmd) ? localPm2Cmd : 'pm2'; const pm2Command = existsSync(localPm2Cmd) ? localPm2Cmd : 'pm2';
const ecosystemPath = join(PLUGIN_ROOT, 'ecosystem.config.cjs'); const ecosystemPath = join(PLUGIN_ROOT, 'ecosystem.config.cjs');
// shell: true required for Windows to handle quoted paths correctly // Using spawnSync with array args to avoid command injection risks
execSync(`"${pm2Command}" start "${ecosystemPath}"`, { const result = spawnSync(pm2Command, ['start', ecosystemPath], {
cwd: PLUGIN_ROOT, cwd: PLUGIN_ROOT,
stdio: 'pipe', stdio: 'pipe',
encoding: 'utf-8', encoding: 'utf-8'
shell: true
}); });
if (result.status !== 0) {
throw new Error(result.stderr || 'PM2 start failed');
}
log('✅ Worker service started', colors.green); log('✅ Worker service started', colors.green);
} catch (error) { } catch (error) {
src/shared/worker-utils.ts
+7 -5
View File
@@ -1,7 +1,7 @@
import path from "path"; import path from "path";
import { homedir } from "os"; import { homedir } from "os";
import { existsSync, readFileSync } from "fs"; import { existsSync, readFileSync } from "fs";
import { execSync } from "child_process"; import { spawnSync } from "child_process";
import { getPackageRoot } from "./paths.js"; import { getPackageRoot } from "./paths.js";
// Named constants for health checks // Named constants for health checks
@@ -63,13 +63,15 @@ async function startWorker(): Promise<boolean> {
// Start using PM2 with the ecosystem config // Start using PM2 with the ecosystem config
// CRITICAL: Must set cwd to pluginRoot so PM2 starts from marketplace directory // CRITICAL: Must set cwd to pluginRoot so PM2 starts from marketplace directory
// shell: true required for Windows to handle quoted paths correctly // Using spawnSync with array args to avoid command injection risks
execSync(`"${pm2Command}" start "${ecosystemPath}"`, { const result = spawnSync(pm2Command, ['start', ecosystemPath], {
cwd: pluginRoot, cwd: pluginRoot,
stdio: 'pipe', stdio: 'pipe',
encoding: 'utf-8', encoding: 'utf-8'
shell: true
}); });
if (result.status !== 0) {
throw new Error(result.stderr || 'PM2 start failed');
}
// Wait for worker to become healthy // Wait for worker to become healthy
for (let i = 0; i < WORKER_STARTUP_RETRIES; i++) { for (let i = 0; i < WORKER_STARTUP_RETRIES; i++) {