From 971eaf9ba2b3e12ab80671df644235aa3b067f8d Mon Sep 17 00:00:00 2001 From: daniel-lxs Date: Wed, 5 Nov 2025 15:04:08 -0500 Subject: [PATCH] fix: prevent shell injection in pre-push hook environment loading - Replace unsafe export $(grep -v '^#' .env.local | xargs) pattern - Use dotenvx for secure environment variable parsing without shell evaluation - Prevents execution of malicious commands in .env.local values - Uses existing @dotenvx/dotenvx dependency already in project - Maintains same functionality while eliminating injection vulnerability --- .husky/pre-push | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.husky/pre-push b/.husky/pre-push index 9e41e80cf8f..4cf91d95800 100644 --- a/.husky/pre-push +++ b/.husky/pre-push @@ -18,14 +18,17 @@ fi $pnpm_cmd run check-types -# Load .env.local if it exists +# Use dotenvx to securely load .env.local and run commands that depend on it if [ -f ".env.local" ]; then - export $(grep -v '^#' .env.local | xargs) -fi - -# Run tests if RUN_TESTS_ON_PUSH is set to true -if [ "$RUN_TESTS_ON_PUSH" = "true" ]; then - $pnpm_cmd run test + # Check if RUN_TESTS_ON_PUSH is set to true and run tests with dotenvx + if npx dotenvx get RUN_TESTS_ON_PUSH -f .env.local 2>/dev/null | grep -q "^true$"; then + npx dotenvx run -f .env.local -- $pnpm_cmd run test + fi +else + # Fallback: run tests if RUN_TESTS_ON_PUSH is set in regular environment + if [ "$RUN_TESTS_ON_PUSH" = "true" ]; then + $pnpm_cmd run test + fi fi # Check for new changesets.