elias/oh-my-opencode
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent command injection in git diff stats collection

Browse Source 
Replace execSync with string commands with execFileSync using argument
arrays to avoid shell interpretation of file paths with special chars.
This commit is contained in:
YeonGyu-Kim 2026-02-08 18:39:36 +09:00
parent d5f0e75b7d
commit cbb7771525
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/shared/git-worktree/collect-git-diff-stats.ts
View File

@ -1,11 +1,11 @@
import { execSync } from "node:child_process"
import { execFileSync } from "node:child_process"
import { parseGitStatusPorcelain } from "./parse-status-porcelain"
import { parseGitDiffNumstat } from "./parse-diff-numstat"
import type { GitFileStat } from "./types"
export function collectGitDiffStats(directory: string): GitFileStat[] {
try {
const diffOutput = execSync("git diff --numstat HEAD", {
const diffOutput = execFileSync("git", ["diff", "--numstat", "HEAD"], {
cwd: directory,
encoding: "utf-8",
timeout: 5000,
@ -14,7 +14,7 @@ export function collectGitDiffStats(directory: string): GitFileStat[] {
if (!diffOutput) return []
const statusOutput = execSync("git status --porcelain", {
const statusOutput = execFileSync("git", ["status", "--porcelain"], {
cwd: directory,
encoding: "utf-8",
timeout: 5000,