fix(utils): quote shell arguments to prevent malicious injection

matejchalk · matejchalk · commit 5312aa712c2d · 2025-11-05T17:13:41.000+01:00
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -38,6 +38,7 @@
     "parse-lcov": "^1.0.4",
     "rimraf": "^6.0.1",
     "semver": "^7.6.3",
+    "shell-quote": "^1.8.3",
     "simple-git": "^3.26.0",
     "ts-morph": "^24.0.0",
     "tslib": "^2.6.2",
@@ -76,6 +77,7 @@
     "@types/node": "^22.13.4",
     "@types/react": "18.3.1",
     "@types/react-dom": "18.3.0",
+    "@types/shell-quote": "^1.7.5",
     "@vitejs/plugin-react": "^5.0.0",
     "@vitest/coverage-v8": "1.3.1",
     "@vitest/eslint-plugin": "^1.1.38",
diff --git a/packages/utils/src/lib/execute-process.ts b/packages/utils/src/lib/execute-process.ts
@@ -6,6 +6,7 @@ import {
   spawn,
 } from 'node:child_process';
 import type { Readable, Writable } from 'node:stream';
+import { quote } from 'shell-quote';
 import { isVerbose } from './env.js';
 import { formatCommandLog } from './format-command-log.js';
 import { ui } from './logging.js';
@@ -157,8 +158,10 @@ export function executeProcess(cfg: ProcessConfig): Promise<ProcessResult> {
     );
   }
 
+  const bin = [command, quote(args ?? [])].join(' ');
+
   return new Promise((resolve, reject) => {
-    const spawnedProcess = spawn(command, args ?? [], {
+    const spawnedProcess = spawn(bin, {
       windowsHide: true,
       ...options,
     }) as ChildProcessByStdio<Writable, Readable, Readable>;
