zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-04-05 00:33:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: sanitize getExecCommand args, escape regex in getCommandPattern, clean up readStdinJson timeout, add 10 tests

Browse Source 
Validate args parameter in getExecCommand() against SAFE_ARGS_REGEX to
prevent command injection when returned string is passed to a shell.
Escape regex metacharacters in getCommandPattern() generic action branch
to prevent malformed patterns and unintended matching. Clean up stdin
listeners in readStdinJson() timeout path to prevent process hanging.
This commit is contained in:
Affaan Mustafa
2026-02-13 02:27:04 -08:00
parent d9331cb17f
commit a62a3a2416
3 changed files with 80 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
tests/lib/package-manager.test.js
View File

@@ -874,6 +874,62 @@ function runTests() {
}
})) passed++; else failed++;
// ─── Round 21: getExecCommand args validation ───
console.log('\ngetExecCommand (args validation):');
if (test('rejects args with shell metacharacter semicolon', () => {
assert.throws(() => pm.getExecCommand('prettier', '; rm -rf /'), /unsafe characters/);
})) passed++; else failed++;
if (test('rejects args with pipe character', () => {
assert.throws(() => pm.getExecCommand('prettier', '--write . | cat'), /unsafe characters/);
})) passed++; else failed++;
if (test('rejects args with backtick injection', () => {
assert.throws(() => pm.getExecCommand('prettier', '`whoami`'), /unsafe characters/);
})) passed++; else failed++;
if (test('rejects args with dollar sign', () => {
assert.throws(() => pm.getExecCommand('prettier', '$HOME'), /unsafe characters/);
})) passed++; else failed++;
if (test('rejects args with ampersand', () => {
assert.throws(() => pm.getExecCommand('prettier', '--write . && echo pwned'), /unsafe characters/);
})) passed++; else failed++;
if (test('allows safe args like --write .', () => {
const cmd = pm.getExecCommand('prettier', '--write .');
assert.ok(cmd.includes('--write .'), 'Should include safe args');
})) passed++; else failed++;
if (test('allows empty args without trailing space', () => {
const cmd = pm.getExecCommand('prettier', '');
assert.ok(!cmd.endsWith(' '), 'Should not have trailing space for empty args');
})) passed++; else failed++;
// ─── Round 21: getCommandPattern regex escaping ───
console.log('\ngetCommandPattern (regex escaping):');
if (test('escapes dot in action name for regex safety', () => {
const pattern = pm.getCommandPattern('test.all');
// The dot should be escaped to \\. in the pattern
const regex = new RegExp(pattern);
assert.ok(regex.test('npm run test.all'), 'Should match literal dot');
assert.ok(!regex.test('npm run testXall'), 'Should NOT match arbitrary character in place of dot');
})) passed++; else failed++;
if (test('escapes brackets in action name', () => {
const pattern = pm.getCommandPattern('build[prod]');
const regex = new RegExp(pattern);
assert.ok(regex.test('npm run build[prod]'), 'Should match literal brackets');
})) passed++; else failed++;
if (test('escapes parentheses in action name', () => {
// Should not throw when compiled as regex
const pattern = pm.getCommandPattern('foo(bar)');
assert.doesNotThrow(() => new RegExp(pattern), 'Should produce valid regex with escaped parens');
})) passed++; else failed++;
// Summary
console.log('\n=== Test Results ===');
console.log(`Passed: ${passed}`);