fix(utils): quote shell arguments to prevent malicious injection

Author: matejchalk

package-lock.json

@@ -38,6 +38,7 @@
     "parse-lcov": "^1.0.4",
     "rimraf": "^6.0.1",
     "semver": "^7.6.3",
+    "shell-quote": "^1.8.3",
     "simple-git": "^3.26.0",
     "ts-morph": "^24.0.0",
     "tslib": "^2.6.2",
@@ -76,6 +77,7 @@
     "@types/node": "^22.13.4",
     "@types/react": "18.3.1",
     "@types/react-dom": "18.3.0",
+    "@types/shell-quote": "^1.7.5",
     "@vitejs/plugin-react": "^5.0.0",
     "@vitest/coverage-v8": "1.3.1",
     "@vitest/eslint-plugin": "^1.1.38",

package.json

@@ -7,7 +7,6 @@ import {
   createRunnerFiles,
   ensureDirectoryExists,
   executeProcess,
-  filePathToCliArg,
   objectToCliArgs,
   readJsonFile,
   ui,
@@ -66,7 +65,7 @@ export async function createRunnerConfig(
   return {
     command: 'node',
     args: [
-      filePathToCliArg(scriptPath),
+      scriptPath,
       ...objectToCliArgs({ runnerConfigPath, runnerOutputPath }),
     ],
     configFile: runnerConfigPath,

packages/plugin-coverage/src/lib/runner/index.ts

@@ -1,11 +1,5 @@
 import type { ESLint, Linter } from 'eslint';
-import { platform } from 'node:os';
-import {
-  distinct,
-  executeProcess,
-  filePathToCliArg,
-  toArray,
-} from '@code-pushup/utils';
+import { distinct, executeProcess, toArray } from '@code-pushup/utils';
 import type { ESLintTarget } from '../config.js';
 import { setupESLint } from '../setup.js';
 import type { LinterOutput, RuleOptionsPerFile } from './types.js';
@@ -29,14 +23,11 @@ async function executeLint({
     command: 'npx',
     args: [
       'eslint',
-      ...(eslintrc ? [`--config=${filePathToCliArg(eslintrc)}`] : []),
+      ...(eslintrc ? [`--config=${eslintrc}`] : []),
       ...(typeof eslintrc === 'object' ? ['--no-eslintrc'] : []),
       '--no-error-on-unmatched-pattern',
       '--format=json',
-      ...toArray(patterns).map(pattern =>
-        // globs need to be escaped on Unix
-        platform() === 'win32' ? pattern : `'${pattern}'`,
-      ),
+      ...toArray(patterns),
     ],
     ignoreExitCode: true,
     cwd: process.cwd(),

packages/plugin-eslint/src/lib/runner/lint.ts

@@ -5,7 +5,6 @@ import {
   createRunnerFiles,
   ensureDirectoryExists,
   executeProcess,
-  filePathToCliArg,
   isPromiseFulfilledResult,
   isPromiseRejectedResult,
   objectFromEntries,
@@ -39,7 +38,7 @@ export async function createRunnerConfig(
   return {
     command: 'node',
     args: [
-      filePathToCliArg(scriptPath),
+      scriptPath,
       ...objectToCliArgs({ runnerConfigPath, runnerOutputPath }),
     ],
     configFile: runnerConfigPath,

packages/plugin-js-packages/src/lib/runner/index.ts

@@ -6,6 +6,7 @@ import {
   spawn,
 } from 'node:child_process';
 import type { Readable, Writable } from 'node:stream';
+import { quote } from 'shell-quote';
 import { isVerbose } from './env.js';
 import { formatCommandLog } from './format-command-log.js';
 import { ui } from './logging.js';
@@ -157,9 +158,11 @@ export function executeProcess(cfg: ProcessConfig): Promise<ProcessResult> {
     );
   }
 
+  const bin = [command, quote(args ?? [])].join(' ');
+
   return new Promise((resolve, reject) => {
     // shell:true tells Windows to use shell command for spawning a child process
-    const spawnedProcess = spawn(command, args ?? [], {
+    const spawnedProcess = spawn(bin, {
       shell: true,
       windowsHide: true,
       ...options,

packages/utils/src/lib/execute-process.ts

@@ -84,7 +84,7 @@ export async function nxShowProjectJson<T extends ProjectConfiguration>(
 ) {
   const { code, stderr, stdout } = await executeProcess({
     command: 'npx',
-    args: ['nx', 'show', `project --json  ${project}`],
+    args: ['nx', 'show', 'project', '--json', project],
     cwd,
   });