code cleanup

Author: lucas-zimerman

.github/workflows/replay-stub-check.yml

@@ -20,14 +20,7 @@ jobs:
         with:
           node-version: '20'
 
-      - run: npm i -g corepack
-
-      - name: Install Danger
-        run: |
-          yarn install
-          yarn add --save-dev danger
-
       - name: Check Replay Stubs
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: npx danger ci --dangerfile scripts/check-replay-stubs.js
+        run: npx danger@latest ci --dangerfile scripts/check-replay-stubs.js

scripts/check-replay-stubs.js

@@ -12,15 +12,36 @@ if (!replayJarChanged) {
   return;
 }
 
+function validatePath(dirPath) {
+  const resolved = path.resolve(dirPath);
+  const cwd = process.cwd();
+  if (!resolved.startsWith(cwd)) {
+    throw new Error(`Invalid path: ${dirPath} is outside working directory`);
+  }
+  return resolved;
+}
 
-const jsDist = path.join(process.cwd(), "js-dist");
-const newSrc = path.join(process.cwd(), "replay-stubs-src");
-const oldSrc = path.join(process.cwd(), "replay-stubs-old-src");
+const jsDist = validatePath(path.join(process.cwd(), "js-dist"));
+const newSrc = validatePath(path.join(process.cwd(), "replay-stubs-src"));
+const oldSrc = validatePath(path.join(process.cwd(), "replay-stubs-old-src"));
 
 [jsDist, newSrc, oldSrc].forEach(dir => {
   if (!fs.existsSync(dir)) fs.mkdirSync(dir);
 });
 
+// Cleanup handler for temporary files
+function cleanup() {
+  [jsDist, newSrc, oldSrc].forEach(dir => {
+    if (fs.existsSync(dir)) {
+      fs.rmSync(dir, { recursive: true, force: true });
+    }
+  });
+}
+
+process.on('exit', cleanup);
+process.on('SIGINT', cleanup);
+process.on('SIGTERM', cleanup);
+
 // Tool for decompiling JARs.
 execSync(`curl -L -o ${jsDist}/jd-cli.zip https://github.com/intoolswetrust/jd-cli/releases/download/jd-cli-1.2.0/jd-cli-1.2.0-dist.zip`);
 execFileSync("unzip", ["-o", `${jsDist}/jd-cli.zip`, "-d", jsDist]);
@@ -29,16 +50,23 @@ const newJarPath = path.join(jsDist, "replay-stubs.jar");
 fs.copyFileSync("packages/core/android/libs/replay-stubs.jar", newJarPath);
 
 const baseJarPath = path.join(jsDist, "replay-stubs-old.jar");
-const baseJarContent = execSync(`git show ${danger.github.pr.base.ref}:packages/core/android/libs/replay-stubs.jar`);
+
+// Validate git ref to prevent command injection
+const baseRef = danger.github.pr.base.ref;
+if (!/^[a-zA-Z0-9/_-]+$/.test(baseRef)) {
+  throw new Error(`Invalid git ref: ${baseRef}`);
+}
+
+const baseJarContent = execSync(`git show ${baseRef}:packages/core/android/libs/replay-stubs.jar`);
 fs.writeFileSync(baseJarPath, baseJarContent);
 
 // Decompile both JARs
-execSync(`java -jar ${jsDist}/jd-cli.jar -od ${newSrc} ${newJarPath}`);
-execSync(`java -jar ${jsDist}/jd-cli.jar -od ${oldSrc} ${baseJarPath}`);
+execFileSync("java", ["-jar", `${jsDist}/jd-cli.jar`, "-od", newSrc, newJarPath]);
+execFileSync("java", ["-jar", `${jsDist}/jd-cli.jar`, "-od", oldSrc, baseJarPath]);
 
 // Compare directory listings
-const newListing = execSync(`ls -lR ${newSrc}`).toString();
-const oldListing = execSync(`ls -lR ${oldSrc}`).toString();
+const newListing = execFileSync("ls", ["-lR", newSrc]).toString();
+const oldListing = execFileSync("ls", ["-lR", oldSrc]).toString();
 
 if (newListing !== oldListing) {
   warn(`⚠️ replay-stubs.jar changes detected. Directory listing diff:\n\`\`\`\n${oldListing}\n---\n${newListing}\n\`\`\``);