fix: use version-aware zip extraction on Windows

[popododo0720]

Summary

• Fix zip extraction failures on Windows when Expand-Archive module cannot be loaded
• Add shared extractZip utility that selects the best extraction method based on Windows version

Changes

• Add src/shared/zip-extractor.ts with version-aware extraction logic:
  • Windows 10 1803+ (build 17134+) / Server 2019+: use built-in tar
  • PowerShell 7+ installed: use pwsh
  • Fallback: use powershell (Windows PowerShell 5.1)
• Refactor comment-checker/downloader.ts to use shared utility
• Refactor ast-grep/downloader.ts to use shared utility
• Refactor grep/downloader.ts to use shared utility

Testing

bun run typecheck
bun run build

Both pass successfully.

To verify on Windows:

1. Test on Windows 10 1803+ → should use tar
2. Test on older Windows with PowerShell 7 installed → should use pwsh
3. Test on older Windows without PowerShell 7 → should use powershell

Related Issues

Closes #552

---

Summary by cubic

Fix Windows zip extraction failures with a version-aware strategy selecting tar on Windows 10 1803+/Server 2019+, pwsh if installed, then powershell. Centralizes extraction; updates comment-checker, ast-grep, and ripgrep downloaders; closes #552.

• Bug Fixes

  • Version-aware Windows extraction: tar (build >=17134), pwsh (via PATH), fallback to powershell; escapes PowerShell paths; avoids Expand-Archive failures; ignores stdout to prevent deadlocks on large output.

• Refactors

  • Add src/shared/zip-extractor.ts and export via src/shared/index.ts.
  • Switch comment-checker, ast-grep, and ripgrep downloaders to use extractZip.

^{Written for commit a00bd8e. Summary will update on new commits.}

[github-actions]

All contributors have signed the CLA. Thank you! ✅
_{Posted by the CLA Assistant Lite bot.}

[popododo0720]

I have read the CLA Document and I hereby sign the CLA

[greptile-apps]

Greptile Summary

Refactored Windows zip extraction by creating a shared utility that intelligently selects extraction method based on Windows version and PowerShell availability. This fixes issue #552 where Expand-Archive module loading failed in PowerShell 7.

Key Changes

• Created src/shared/zip-extractor.ts with version-aware extraction logic
• Refactored 3 downloader modules to use shared utility, eliminating code duplication
• Windows 10 1803+ (build 17134+) now uses built-in tar command
• Falls back to pwsh (PowerShell 7) if available, then powershell (5.1)

Issues Found

• Command injection vulnerability: Archive and destination paths are interpolated directly into PowerShell commands without escaping (lines 48, 55)
• Hardcoded path limitation: PowerShell 7 detection only checks default installation path, missing custom installations

Recommendations

• Pass PowerShell parameters as separate array elements to spawn() instead of string interpolation
• Consider dynamic PowerShell 7 detection via PATH or spawn check

Confidence Score: 3/5

• This PR solves the immediate Windows extraction issue but introduces command injection vulnerabilities that need fixing before merge
• The refactoring successfully addresses the original bug by providing Windows version-aware extraction fallbacks. However, the implementation has critical security issues with command injection in PowerShell commands (lines 48, 55) where user-controlled paths are interpolated into shell commands. Additionally, the hardcoded PowerShell 7 path check limits effectiveness. These issues should be resolved before merging.
• Pay close attention to src/shared/zip-extractor.ts - fix command injection vulnerabilities on lines 48 and 55

Important Files Changed

Filename	Overview
src/shared/zip-extractor.ts	New shared utility with version-aware zip extraction for Windows; uses tar on modern Windows, pwsh/powershell fallbacks
src/hooks/comment-checker/downloader.ts	Refactored to use shared extractZip utility, removed duplicate extraction logic
src/tools/ast-grep/downloader.ts	Refactored to use shared extractZip utility, removed duplicate extraction logic
src/tools/grep/downloader.ts	Refactored to use shared extractZip utility, simplified Windows/Unix extraction logic

Sequence Diagram

sequenceDiagram
    participant Downloader as comment-checker/downloader.ts
    participant ZipExtractor as shared/zip-extractor.ts
    participant OS as OS API
    participant Shell as Shell (tar/pwsh/powershell)

    Downloader->>ZipExtractor: extractZip(archivePath, destDir)
    
    alt platform === "win32"
        ZipExtractor->>OS: release()
        OS-->>ZipExtractor: version string (e.g. "10.0.17134")
        ZipExtractor->>ZipExtractor: parse build number from version
        
        alt build >= 17134 (Windows 10 1803+)
            ZipExtractor->>Shell: spawn tar -xf
            Shell-->>ZipExtractor: extraction result
        else pwsh exists
            ZipExtractor->>OS: existsSync("C:\\Program Files\\PowerShell\\7\\pwsh.exe")
            OS-->>ZipExtractor: true
            ZipExtractor->>Shell: spawn pwsh Expand-Archive
            Shell-->>ZipExtractor: extraction result
        else fallback
            ZipExtractor->>Shell: spawn powershell Expand-Archive
            Shell-->>ZipExtractor: extraction result
        end
    else Unix/Linux/macOS
        ZipExtractor->>Shell: spawn unzip
        Shell-->>ZipExtractor: extraction result
    end
    
    alt exitCode !== 0
        ZipExtractor-->>Downloader: throw Error
    else success
        ZipExtractor-->>Downloader: void (success)
    end

Loading

[greptile-apps]

Additional Comments (3)

1. src/shared/zip-extractor.ts, line 48 (link)

   logic: command injection vulnerability: archivePath and destDir are directly interpolated into PowerShell command without escaping. If these paths contain single quotes, the command will break or could execute arbitrary code.

2. src/shared/zip-extractor.ts, line 55 (link)

   logic: same command injection vulnerability here for powershell fallback

3. src/shared/zip-extractor.ts, line 27 (link)

   logic: hardcoded path won't work for custom PowerShell 7 installations or non-standard locations. Use which pwsh or check PATH environment variable instead

   Would checking PATH via spawn be acceptable, or should this maintain the file existence check for performance?

_{5 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[cubic-dev-ai]

2 issues found across 5 files

Confidence score: 3/5

• Unescaped single quotes in the PowerShell branch of src/shared/zip-extractor.ts mean paths containing ' will fail to extract, posing a concrete regression for Windows users.
• Same path escaping issue as in the prior pwsh logic remains unresolved, so the zip extraction command is not reliable when filenames include quotes.
• Pay close attention to src/shared/zip-extractor.ts - ensure single quotes are doubled for PowerShell compatibility.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src/shared/zip-extractor.ts">

<violation number="1" location="src/shared/zip-extractor.ts:48">
P1: Paths containing single quotes will break the PowerShell command. Escape single quotes by doubling them for PowerShell single-quoted strings.</violation>

<violation number="2" location="src/shared/zip-extractor.ts:55">
P1: Same path escaping issue as the `pwsh` case. Escape single quotes for PowerShell compatibility.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[popododo0720]

Fixed the issues raised in the review:

1. Command injection vulnerability (lines 48, 55): Added escapePowerShellPath() function that escapes single quotes by doubling them for PowerShell compatibility
2. Hardcoded pwsh path: Changed from existsSync("C:\\Program Files\\PowerShell\\7\\pwsh.exe") to where pwsh via PATH lookup

Please re-review. Thanks!

[popododo0720]

@cubic-dev-ai please re-review - the issues have been fixed in commit 8d33e2b

[cubic-dev-ai]

@cubic-dev-ai please re-review - the issues have been fixed in commit 8d33e2b

@popododo0720 I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

1 issue found across 5 files

Confidence score: 3/5

• Unconsumed stdout from the unzip -o child process in src/shared/zip-extractor.ts can deadlock extraction when large output is produced, making this a tangible user-impacting regression risk.
• Score reflects a medium-severity, reproducible hang scenario that merits a fix before merge to ensure reliable archives handling.
• Pay close attention to src/shared/zip-extractor.ts – stdout should be ignored or drained to avoid child process deadlocks.

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="src/shared/zip-extractor.ts">

<violation number="1" location="src/shared/zip-extractor.ts:52">
P2: stdout is piped but never consumed, which can cause a deadlock if the extraction process produces significant output (particularly `unzip -o` which lists every file). Since stdout content isn't needed, use `"ignore"` instead of `"pipe"`.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[popododo0720]

Fixed the stdout deadlock issue - changed stdout: "pipe" to stdout: "ignore" for all extraction commands.

@cubic-dev-ai please re-review

[cubic-dev-ai]

Fixed the stdout deadlock issue - changed stdout: "pipe" to stdout: "ignore" for all extraction commands.

@cubic-dev-ai please re-review

@popododo0720 I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 5 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.