Simplify app dev, build, server, preview usage via cli #121
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| export async function cleanDist() { | ||
| console.log('♻️ Cleaning dist directory...'); | ||
| await execa(`${getDepsBinPath('rimraf')} dist`, { |
Check warning
Code scanning / CodeQL
Shell command built from environment values Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 days ago
To fix this vulnerability, we should avoid forming a full command string and using the shell: true option, since this subjects the input to shell parsing. Instead, we should call execa() with the command and its arguments as separate parameters, ensuring user-supplied or environment-derived values are not interpreted by the shell.
Specifically:
- If
getDepsBinPath('rimraf')returns a command like'npx rimraf', we should split it into command ('npx') and arguments (['rimraf', 'dist']). - If it returns a direct path like
.../.bin/rimraf, we should call that path with['dist']as the argument. - Therefore, we need code to:
- Parse the result from
getDepsBinPathinto command and arguments. - Call
execa(cmd, args)(with noshell:true), not one command string.
- Parse the result from
- Only the
npm-packages/cli/source/lib/execa-utils/clean.tsfile needs changing.
| @@ -3,8 +3,8 @@ | ||
|
|
||
| export async function cleanDist() { | ||
| console.log('♻️ Cleaning dist directory...'); | ||
| await execa(`${getDepsBinPath('rimraf')} dist`, { | ||
| shell: true, | ||
| }); | ||
| const cmdLine = getDepsBinPath('rimraf'); | ||
| const [cmd, ...cmdArgs] = cmdLine.split(' '); | ||
| await execa(cmd, [...cmdArgs, 'dist']); | ||
| console.log('✅ Cleaned dist directory.'); | ||
| } |
No description provided.