zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-09 10:53:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent command injection in Prettier hook (#102)

Browse Source 
Security fix: Prevent command injection in Prettier hook by using execFileSync with array arguments instead of execSync with string concatenation.
This commit is contained in:
vinayakg
2026-01-29 12:30:24 +05:30
committed by GitHub
parent 8894e1bced
commit 899630341b
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hooks/hooks.json
View File

@@ -105,7 +105,7 @@
"hooks": [ "hooks": [
{ {
"type": "command", "type": "command",
"command": "node -e \"const{execSync}=require('child_process');const fs=require('fs');let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{const i=JSON.parse(d);const p=i.tool_input?.file_path;if(p&&fs.existsSync(p)){try{execSync('npx prettier --write \"'+p+'\"',{stdio:['pipe','pipe','pipe']})}catch(e){}}console.log(d)})\"" "command": "node -e \"const{execFileSync}=require('child_process');const fs=require('fs');let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{const i=JSON.parse(d);const p=i.tool_input?.file_path;if(p&&fs.existsSync(p)){try{execFileSync('npx',['prettier','--write',p],{stdio:['pipe','pipe','pipe']})}catch(e){}}console.log(d)})\""
} }
], ],
"description": "Auto-format JS/TS files with Prettier after edits" "description": "Auto-format JS/TS files with Prettier after edits"