fix: eliminate command injection in hooks, fix pass-through newline corruption, add 8 tests

Replace shell: true with npx.cmd on Windows in post-edit-format.js and post-edit-typecheck.js to prevent command injection via crafted file paths. Replace console.log(data) with process.stdout.write(data) in check-console-log.js to avoid appending extra newlines to pass-through data.
2026-03-30 13:43:26 +08:00 · 2026-02-13 02:22:55 -08:00
parent f33ed4c49e
commit d9331cb17f
4 changed files with 82 additions and 7 deletions
--- a/scripts/hooks/check-console-log.js
+++ b/scripts/hooks/check-console-log.js
@@ -39,7 +39,7 @@ process.stdin.on('data', chunk => {
 process.stdin.on('end', () => {
  try {
    if (!isGitRepo()) {
-      console.log(data);
+      process.stdout.write(data);
      process.exit(0);
    }

@@ -65,5 +65,5 @@ process.stdin.on('end', () => {
  }

  // Always output the original data
-  console.log(data);
+  process.stdout.write(data);
 });
--- a/scripts/hooks/post-edit-format.js
+++ b/scripts/hooks/post-edit-format.js
@@ -27,10 +27,11 @@ process.stdin.on('end', () => {

    if (filePath && /\.(ts|tsx|js|jsx)$/.test(filePath)) {
      try {
-        execFileSync('npx', ['prettier', '--write', filePath], {
+        // Use npx.cmd on Windows to avoid shell: true which enables command injection
+        const npxBin = process.platform === 'win32' ? 'npx.cmd' : 'npx';
+        execFileSync(npxBin, ['prettier', '--write', filePath], {
          stdio: ['pipe', 'pipe', 'pipe'],
-          timeout: 15000,
-          shell: process.platform === 'win32'
+          timeout: 15000
        });
      } catch {
        // Prettier not installed, file missing, or failed — non-blocking
--- a/scripts/hooks/post-edit-typecheck.js
+++ b/scripts/hooks/post-edit-typecheck.js
@@ -49,12 +49,13 @@ process.stdin.on("end", () => {

      if (fs.existsSync(path.join(dir, "tsconfig.json"))) {
        try {
-          execFileSync("npx", ["tsc", "--noEmit", "--pretty", "false"], {
+          // Use npx.cmd on Windows to avoid shell: true which enables command injection
+          const npxBin = process.platform === "win32" ? "npx.cmd" : "npx";
+          execFileSync(npxBin, ["tsc", "--noEmit", "--pretty", "false"], {
            cwd: dir,
            encoding: "utf8",
            stdio: ["pipe", "pipe", "pipe"],
            timeout: 30000,
-            shell: process.platform === "win32",
          });
        } catch (err) {
          // tsc exits non-zero when there are errors — filter to edited file