From 1e992726e7ee8ea982d2865a719baef1752ec773 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Sun, 17 May 2026 15:47:48 +0000 Subject: [PATCH] fix: detected calls to child_process from a function... in index.ts Detected calls to child_process from a function argument `command` Addresses javascript.lang.security.detect-child-process.detect-child-process --- scripts/ci/build-monaco-editor-core-pkg.ts | 2 +- scripts/lib/index.ts | 24 ++++++++++++---------- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/scripts/ci/build-monaco-editor-core-pkg.ts b/scripts/ci/build-monaco-editor-core-pkg.ts index c130670a8a..91b2ff6747 100644 --- a/scripts/ci/build-monaco-editor-core-pkg.ts +++ b/scripts/ci/build-monaco-editor-core-pkg.ts @@ -1,4 +1,4 @@ -import { rm } from 'fs/promises'; +import { rm, writeFile } from 'fs/promises'; import { join } from 'path'; import { PackageJson, group, gitShallowClone, run, writeJsonFile, getNightlyVersion } from '../lib'; import { getNightlyEnv } from './env'; diff --git a/scripts/lib/index.ts b/scripts/lib/index.ts index a6a26b4da6..3b5e93cf9f 100644 --- a/scripts/lib/index.ts +++ b/scripts/lib/index.ts @@ -5,9 +5,10 @@ export interface RunOptions { cwd: string; } -export async function run(command: string, options: RunOptions) { - console.log(`Running ${command} in ${options.cwd}`); - const process = spawn(command, { shell: true, cwd: options.cwd, stdio: 'inherit' }); +export async function run(command: string[], options: RunOptions) { + console.log(`Running ${command.join(' ')} in ${options.cwd}`); + const [cmd, ...args] = command; + const process = spawn(cmd, args, { shell: false, cwd: options.cwd, stdio: 'inherit' }); return new Promise((resolve, reject) => { process.on('exit', (code) => { if (code !== 0) { @@ -19,10 +20,11 @@ export async function run(command: string, options: RunOptions) { }); } -export async function runGetOutput(command: string, options: RunOptions): Promise { - console.log(`Running ${command} in ${options.cwd}`); +export async function runGetOutput(command: string[], options: RunOptions): Promise { + console.log(`Running ${command.join(' ')} in ${options.cwd}`); return new Promise((resolve, reject) => { - const process = spawn(command, { shell: true, cwd: options.cwd, stdio: 'pipe' }); + const [cmd, ...args] = command; + const process = spawn(cmd, args, { shell: false, cwd: options.cwd, stdio: 'pipe' }); let output = ''; process.stdout.on('data', (data) => { output += data; @@ -38,7 +40,7 @@ export async function runGetOutput(command: string, options: RunOptions): Promis } export async function gitCommitId(repositoryPath: string): Promise { - const commitId = (await runGetOutput('git rev-parse HEAD', { cwd: repositoryPath })).trim(); + const commitId = (await runGetOutput(['git', 'rev-parse', 'HEAD'], { cwd: repositoryPath })).trim(); return commitId; } @@ -49,10 +51,10 @@ export async function gitShallowClone( ): Promise<{ commitId: string }> { await mkdir(targetPath, { recursive: true }); const options: RunOptions = { cwd: targetPath }; - await run('git init', options); - await run(`git remote add origin ${repositoryUrl}`, options); - await run(`git fetch --depth 1 origin ${ref}`, options); - await run(`git checkout ${ref}`, options); + await run(['git', 'init'], options); + await run(['git', 'remote', 'add', 'origin', repositoryUrl], options); + await run(['git', 'fetch', '--depth', '1', 'origin', ref], options); + await run(['git', 'checkout', ref], options); const commitId = await gitCommitId(targetPath); console.log(`Cloned ${repositoryUrl} (${commitId}) to ${targetPath}`); return { commitId };