-
Notifications
You must be signed in to change notification settings - Fork 0
Potential fix for code scanning alert no. 3: Uncontrolled command line #8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -170,30 +170,42 @@ export function pickAsset(release: ReleaseInfo, mode: 'auto' | 'installer' | 'ex | |||||||||||||||||||||||||||||||||||
| export async function applyUpdateInstaller(installerPath: string, silent: boolean, elevate: boolean) { | ||||||||||||||||||||||||||||||||||||
| logger.info('Launching installer...'); | ||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||
| const args = []; | ||||||||||||||||||||||||||||||||||||
| const args: string[] = []; | ||||||||||||||||||||||||||||||||||||
| if (silent) { | ||||||||||||||||||||||||||||||||||||
| args.push('/VERYSILENT', '/SUPPRESSMSGBOXES', '/NORESTART'); | ||||||||||||||||||||||||||||||||||||
| } | ||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||
| if (elevate) { | ||||||||||||||||||||||||||||||||||||
| // Use PowerShell Start-Process -Verb RunAs | ||||||||||||||||||||||||||||||||||||
| // To prevent command injection, we pass arguments via environment variables. | ||||||||||||||||||||||||||||||||||||
| const envVars: Record<string, string> = { | ||||||||||||||||||||||||||||||||||||
| 'PS_INSTALLER_PATH': installerPath, | ||||||||||||||||||||||||||||||||||||
| 'PS_INSTALLER_ARGS': args.join(' ') | ||||||||||||||||||||||||||||||||||||
| }; | ||||||||||||||||||||||||||||||||||||
| // Use PowerShell Start-Process with environment variables for both elevated and non-elevated runs | ||||||||||||||||||||||||||||||||||||
| const envVars: Record<string, string> = { | ||||||||||||||||||||||||||||||||||||
| 'PS_INSTALLER_PATH': installerPath, | ||||||||||||||||||||||||||||||||||||
| 'PS_INSTALLER_ARGS': args.join(' ') | ||||||||||||||||||||||||||||||||||||
| }; | ||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||
| const basePsCommand = ` | ||||||||||||||||||||||||||||||||||||
| $p = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_PATH') | ||||||||||||||||||||||||||||||||||||
| $a = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_ARGS') | ||||||||||||||||||||||||||||||||||||
|
Comment on lines
+181
to
+186
|
||||||||||||||||||||||||||||||||||||
| 'PS_INSTALLER_ARGS': args.join(' ') | |
| }; | |
| const basePsCommand = ` | |
| $p = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_PATH') | |
| $a = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_ARGS') | |
| 'PS_INSTALLER_ARGS_JSON': JSON.stringify(args) | |
| }; | |
| const basePsCommand = ` | |
| $p = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_PATH') | |
| $aJson = [System.Environment]::GetEnvironmentVariable('PS_INSTALLER_ARGS_JSON') | |
| if ([string]::IsNullOrWhiteSpace($aJson)) { | |
| $a = @() | |
| } else { | |
| $a = $aJson | ConvertFrom-Json | |
| } |
Copilot
AI
Dec 21, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is code duplication between the elevated and non-elevated branches. Both branches construct nearly identical PowerShell commands and invoke execa with the same parameters, differing only by the presence of '-Verb RunAs' in the Start-Process call.
Consider extracting the common logic to reduce duplication. For example, construct the Start-Process line conditionally and use a single execa invocation.
Copilot
AI
Dec 21, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The applyUpdateInstaller function lacks test coverage. The existing test file tests/selfUpdate.test.ts tests checkForUpdates and pickAsset, but doesn't include tests for applyUpdateInstaller.
Given the security-sensitive nature of this function (handling installer execution) and that comprehensive automated testing exists for this module, consider adding tests to verify that the PowerShell command is constructed correctly for both elevated and non-elevated cases, and that arguments are properly passed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
issue (bug_risk): Combining arguments into a single space-separated string risks incorrect parsing when arguments contain spaces or special characters.
Previously
execa(installerPath, args)kept each argument separate, but now all args are collapsed into one string and passed viaPS_INSTALLER_ARGStoStart-Process -ArgumentList. Any arg with spaces or special chars may be split or misparsed by PowerShell. To avoid this, either preserve the array structure (e.g., one env var per arg and rebuild an array in PowerShell) or encode the args in a format that can be safely reconstructed (e.g., JSON +ConvertFrom-Json).