Skip to content

fix(utils): quote shell arguments to prevent malicious injection #1136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(utils): quote shell arguments to prevent malicious injection #1136

wants to merge 1 commit into from

Conversation

@matejchalk
Copy link
Collaborator

@matejchalk matejchalk commented Nov 4, 2025
edited
Loading

Attempt to resolve CodeQL alert.

The shell: true flag was introduced way back in #165, and is necessary for Windows support.

@nx-cloud
Copy link

nx-cloud bot commented Nov 4, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 08a67cb

Command Status Duration Result
nx code-pushup --nx-bail -- print-config --outp... ❌ Failed 1m 6s View ↗

☁️ Nx Cloud last updated this comment at 2025-11-06 10:55:46 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Nov 4, 2025
edited
Loading

Open in StackBlitz

@code-pushup/ci

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/ci@1136

@code-pushup/cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/cli@1136

@code-pushup/core

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/core@1136

@code-pushup/create-cli

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/create-cli@1136

@code-pushup/models

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models@1136

@code-pushup/nx-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/nx-plugin@1136

@code-pushup/coverage-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/coverage-plugin@1136

@code-pushup/eslint-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/eslint-plugin@1136

@code-pushup/js-packages-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/js-packages-plugin@1136

@code-pushup/jsdocs-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/jsdocs-plugin@1136

@code-pushup/lighthouse-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/lighthouse-plugin@1136

@code-pushup/typescript-plugin

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/typescript-plugin@1136

@code-pushup/utils

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/utils@1136

@code-pushup/models-transformers

npm i https://pkg.pr.new/code-pushup/cli/@code-pushup/models-transformers@1136

commit: 08a67cb

@github-actions github-actions bot added 🔬 testing writing tests 🧩 eslint-plugin 🧩 coverage-plugin 🧩 js-packages-plugin Plugin for audit and outdated dependencies labels Nov 6, 2025
@matejchalk matejchalk changed the title fix(utils): remove unsafe shell:true option from executeProcess fix(utils): quote shell arguments to prevent malicious injection Nov 6, 2025
@matejchalk matejchalk mentioned this pull request Nov 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@matejchalk matejchalk

Labels

🧩 coverage-plugin 🧩 eslint-plugin 🧩 js-packages-plugin Plugin for audit and outdated dependencies 🔬 testing writing tests 🛠️ tooling 🧩 utils

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@matejchalk