fix: use execFile in cloneRepo to avoid shell interpolation of user input

fernandomg · fernandomg · commit 72122c93f31b · 2026-03-20T14:53:49.000+01:00
cloneRepo previously interpolated projectName into shell command strings
via exec(). While isValidName restricts to [a-zA-Z0-9_], this switches
to execFile (no shell) for defense-in-depth. Only the git checkout with
$() substitution still uses shell exec since it has no user input.
diff --git a/source/operations/cloneRepo.ts b/source/operations/cloneRepo.ts
@@ -1,15 +1,16 @@
 import { repoUrl } from '../constants/config.js'
 import { getProjectFolder } from '../utils/utils.js'
-import { exec } from './exec.js'
+import { exec, execFile } from './exec.js'
 
 export async function cloneRepo(projectName: string): Promise<void> {
   const projectFolder = getProjectFolder(projectName)
 
-  await exec(`git clone --depth 1 --no-checkout ${repoUrl} ${projectName}`)
-  await exec('git fetch --tags', { cwd: projectFolder })
+  await execFile('git', ['clone', '--depth', '1', '--no-checkout', repoUrl, projectName])
+  await execFile('git', ['fetch', '--tags'], { cwd: projectFolder })
+  // Shell required for $() command substitution
   await exec('git checkout $(git describe --tags $(git rev-list --tags --max-count=1))', {
     cwd: projectFolder,
   })
-  await exec('rm -rf .git', { cwd: projectFolder })
-  await exec('git init', { cwd: projectFolder })
+  await execFile('rm', ['-rf', '.git'], { cwd: projectFolder })
+  await execFile('git', ['init'], { cwd: projectFolder })
 }
diff --git a/source/operations/exec.ts b/source/operations/exec.ts
@@ -1,7 +1,8 @@
-import { exec as nodeExec } from 'node:child_process'
+import { exec as nodeExec, execFile as nodeExecFile } from 'node:child_process'
 import { promisify } from 'node:util'
 
 const execAsync = promisify(nodeExec)
+const execFileAsync = promisify(nodeExecFile)
 
 export async function exec(command: string, options: { cwd?: string } = {}): Promise<string> {
   try {
@@ -16,3 +17,21 @@ export async function exec(command: string, options: { cwd?: string } = {}): Pro
     throw new Error(message)
   }
 }
+
+export async function execFile(
+  file: string,
+  args: string[],
+  options: { cwd?: string } = {},
+): Promise<string> {
+  try {
+    const { stdout } = await execFileAsync(file, args, {
+      cwd: options.cwd,
+    })
+
+    return stdout.trim()
+  } catch (error: unknown) {
+    const execError = error as { stderr?: string; message?: string }
+    const message = execError.stderr?.trim() || execError.message || 'Unknown error'
+    throw new Error(message)
+  }
+}
