Skip to content

Commit f219e65

Browse files
herdiyana256amishne
herdiyana256
authored and
amishne
committed
refactor(dev-infra): use shell: false and quote args in benchmark-compare workflow
Currently, the exec() utility uses childProcess.spawn() with shell: true. This commit changes the spawn option to shell: false to prevent OS command injection vulnerabilities and quotes the benchmark target in the github action.
1 parent 32d768f commit f219e65

2 files changed

Lines changed: 10 additions & 4 deletions

File tree

.github/workflows/benchmark-compare.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,8 @@ jobs:
4949
COMMENT_BODY: ${{ github.event.comment.body }}
5050
run: pnpm benchmarks prepare-for-github-action "$COMMENT_BODY"
5151

52-
- run: pnpm benchmarks run-compare ${{steps.info.outputs.compareSha}} ${{steps.info.outputs.benchmarkTarget}}
52+
- run: pnpm benchmarks run-compare ${{steps.info.outputs.compareSha}} "${{steps.info.outputs.benchmarkTarget}}"
53+
5354
id: benchmark
5455
name: Running benchmark
5556

scripts/benchmarks/utils.mts

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -17,15 +17,20 @@ const scriptDir = path.dirname(url.fileURLToPath(import.meta.url));
1717
export const projectDir: string = path.join(scriptDir, '../..');
1818

1919
/**
20-
* Executes the given command, forwarding stdin, stdout and stderr while
21-
* still capturing stdout in order to return it.
20+
* Executes the given command with the provided arguments. Arguments are passed
21+
* as a discrete array to the child process, bypassing shell interpretation.
22+
* This ensures that special shell characters within arguments are treated as
23+
* literal values and cannot be used to inject additional commands.
2224
*/
2325
export function exec(cmd: string, args: string[] = []): Promise<string> {
2426
return new Promise((resolve, reject) => {
2527
Log.info('Running command:', cmd, args.join(' '));
2628

2729
const proc = childProcess.spawn(cmd, args, {
28-
shell: true,
30+
// Do not use a shell to spawn the process. This ensures that arguments
31+
// are passed directly to the executable without shell interpretation,
32+
// preventing injection via shell metacharacters.
33+
shell: false,
2934
cwd: projectDir,
3035
// Only capture `stdout`. Forward the rest to the parent TTY.
3136
stdio: ['inherit', 'pipe', 'inherit'],

0 commit comments

Comments
 (0)