prevent shell command injection

switch from cp.exec to cp.spawn to prevent shell command injection.

Use path-expansion logic from nodeZip in nativeZip to maintain feature parity without any vulnerability.

lib/bestzip.js

@@ -65,30 +65,32 @@ function walkDir(fullPath) {
 
 const nativeZip = options =>
   new Promise((resolve, reject) => {
-    const sources = Array.isArray(options.source)
-      ? options.source.join(" ")
-      : options.source;
-    const command = `zip --quiet --recurse-paths ${
-      options.destination
-    } ${sources}`;
-    const zipProcess = cp.exec(command, {
-      stdio: "inherit",
-      cwd: options.cwd
-    });
-    zipProcess.on("error", reject);
-    zipProcess.on("close", exitCode => {
-      if (exitCode === 0) {
-        resolve();
-      } else {
-        // exit code 12 means "nothing to do" right?
-        //console.log('rejecting', zipProcess)
-        reject(
-          new Error(
-            `Unexpected exit code from native zip command: ${exitCode}\n executed command '${command}'\n executed inin directory '${options.cwd ||
-              process.cwd()}'`
-          )
-        );
-      }
+    const cwd = options.cwd || process.cwd();
+    const command = "zip";
+    expandSources(cwd, options.source, (err, sources) => {
+      const args = ["--quiet", "--recurse-paths", options.destination].concat(
+        sources
+      );
+      const zipProcess = cp.spawn(command, args, {
+        stdio: "inherit",
+        cwd
+      });
+      zipProcess.on("error", reject);
+      zipProcess.on("close", exitCode => {
+        if (exitCode === 0) {
+          resolve();
+        } else {
+          // exit code 12 means "nothing to do" right?
+          //console.log('rejecting', zipProcess)
+          reject(
+            new Error(
+              `Unexpected exit code from native zip: ${exitCode}\n executed command '${command} ${args.join(
+                " "
+              )}'\n executed in directory '${cwd}'`
+            )
+          );
+        }
+      });
     });
   });