github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

Security: use execFileSync instead of execSync with shell strings (#20655)

Browse Source 
Replace execSync (which spawns a shell) with execFileSync (which
invokes the binary directly with an argv array). This eliminates
command injection risk from interpolated arguments.

Co-authored-by: sirishacyd <sirishacyd@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
mahanandhi
2026-02-19 03:19:09 -08:00
committed by GitHub
parent ee6d0bd321
commit fb35635c10
2 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/agents/date-time.ts
View File

@@ -1,4 +1,4 @@
import { execSync } from "node:child_process";
import { execFileSync } from "node:child_process";
export type TimeFormatPreference = "auto" | "12" | "24";
export type ResolvedTimeFormat = "12" | "24";
@@ -96,9 +96,10 @@ export function withNormalizedTimestamp<T extends Record<string, unknown>>(
function detectSystemTimeFormat(): boolean {
if (process.platform === "darwin") {
try {
const result = execSync("defaults read -g AppleICUForce24HourTime 2>/dev/null", {
const result = execFileSync("defaults", ["read", "-g", "AppleICUForce24HourTime"], {
encoding: "utf8",
timeout: 500,
stdio: ["pipe", "pipe", "pipe"],
}).trim();
if (result === "1") {
return true;
@@ -113,8 +114,9 @@ function detectSystemTimeFormat(): boolean {
if (process.platform === "win32") {
try {
const result = execSync(
'powershell -Command "(Get-Culture).DateTimeFormat.ShortTimePattern"',
const result = execFileSync(
"powershell",
["-Command", "(Get-Culture).DateTimeFormat.ShortTimePattern"],
{ encoding: "utf8", timeout: 1000 },
).trim();
if (result.startsWith("H")) {

4
src/daemon/program-args.ts
View File

@@ -148,10 +148,10 @@ async function resolveNodePath(): Promise<string> {
}
async function resolveBinaryPath(binary: string): Promise<string> {
const { execSync } = await import("node:child_process");
const { execFileSync } = await import("node:child_process");
const cmd = process.platform === "win32" ? "where" : "which";
try {
const output = execSync(`${cmd} ${binary}`, { encoding: "utf8" }).trim();
const output = execFileSync(cmd, [binary], { encoding: "utf8" }).trim();
const resolved = output.split(/\r?\n/)[0]?.trim();
if (!resolved) {
throw new Error("empty");