mirror of
https://github.com/openclaw/openclaw.git
synced 2026-02-19 18:39:20 -05:00
Security: use execFileSync instead of execSync with shell strings (#20655)
Replace execSync (which spawns a shell) with execFileSync (which invokes the binary directly with an argv array). This eliminates command injection risk from interpolated arguments. Co-authored-by: sirishacyd <sirishacyd@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,4 +1,4 @@
|
||||
import { execSync } from "node:child_process";
|
||||
import { execFileSync } from "node:child_process";
|
||||
|
||||
export type TimeFormatPreference = "auto" | "12" | "24";
|
||||
export type ResolvedTimeFormat = "12" | "24";
|
||||
@@ -96,9 +96,10 @@ export function withNormalizedTimestamp<T extends Record<string, unknown>>(
|
||||
function detectSystemTimeFormat(): boolean {
|
||||
if (process.platform === "darwin") {
|
||||
try {
|
||||
const result = execSync("defaults read -g AppleICUForce24HourTime 2>/dev/null", {
|
||||
const result = execFileSync("defaults", ["read", "-g", "AppleICUForce24HourTime"], {
|
||||
encoding: "utf8",
|
||||
timeout: 500,
|
||||
stdio: ["pipe", "pipe", "pipe"],
|
||||
}).trim();
|
||||
if (result === "1") {
|
||||
return true;
|
||||
@@ -113,8 +114,9 @@ function detectSystemTimeFormat(): boolean {
|
||||
|
||||
if (process.platform === "win32") {
|
||||
try {
|
||||
const result = execSync(
|
||||
'powershell -Command "(Get-Culture).DateTimeFormat.ShortTimePattern"',
|
||||
const result = execFileSync(
|
||||
"powershell",
|
||||
["-Command", "(Get-Culture).DateTimeFormat.ShortTimePattern"],
|
||||
{ encoding: "utf8", timeout: 1000 },
|
||||
).trim();
|
||||
if (result.startsWith("H")) {
|
||||
|
||||
@@ -148,10 +148,10 @@ async function resolveNodePath(): Promise<string> {
|
||||
}
|
||||
|
||||
async function resolveBinaryPath(binary: string): Promise<string> {
|
||||
const { execSync } = await import("node:child_process");
|
||||
const { execFileSync } = await import("node:child_process");
|
||||
const cmd = process.platform === "win32" ? "where" : "which";
|
||||
try {
|
||||
const output = execSync(`${cmd} ${binary}`, { encoding: "utf8" }).trim();
|
||||
const output = execFileSync(cmd, [binary], { encoding: "utf8" }).trim();
|
||||
const resolved = output.split(/\r?\n/)[0]?.trim();
|
||||
if (!resolved) {
|
||||
throw new Error("empty");
|
||||
|
||||
Reference in New Issue
Block a user