Skip to content

fix(utils): quote shell arguments to prevent malicious injection#1136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
matejchalk wants to merge 1 commit into
base:main
Choose a base branch
from
Draft

fix(utils): quote shell arguments to prevent malicious injection #1136

matejchalk wants to merge 1 commit into from

Conversation

@matejchalk
Copy link
Collaborator

@matejchalkmatejchalk commented Nov 4, 2025
edited
Loading

Attempt to resolve CodeQL alert.

The shell: true flag was introduced way back in #165, and is necessary for Windows support.

@nx-cloud
Copy link

nx-cloudbot commented Nov 4, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 08a67cb

CommandStatusDurationResult
nx code-pushup --nx-bail -- print-config --outp...❌ Failed1m 6sView ↗

☁️ Nx Cloud last updated this comment at 2025-11-06 10:55:46 UTC

@pkg-pr-new
Copy link

pkg-pr-newbot commented Nov 4, 2025
edited
Loading

Open in StackBlitz

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1136

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1136

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1136

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1136

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1136

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1136

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1136

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1136

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1136

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1136

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1136

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1136

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1136

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1136

commit: 08a67cb

@matejchalkmatejchalk changed the title fix(utils): remove unsafe shell:true option from executeProcessfix(utils): quote shell arguments to prevent malicious injectionNov 6, 2025
@matejchalkmatejchalk mentioned this pull request Nov 6, 2025
Merged
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@matejchalkmatejchalk

Labels

🧩 coverage-plugin🧩 eslint-plugin🧩 js-packages-pluginPlugin for audit and outdated dependencies🔬 testingwriting tests🛠️ tooling🧩 utils

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matejchalk