fix: shell-quote inferred workspace validation paths by ganesh47 · Pull Request #58 · ganesh47/cstack

ganesh47 · 2026-04-23T04:49:00Z

Inferred validation commands embedded repository-controlled workspace paths directly into shell strings (e.g., npm --prefix ${targetPath} ..., cd ${targetPath} && ..., mvn -f ${targetPath}/pom.xml ...) which were later executed with a shell (-lc), creating a command-injection risk from malicious directory names.

Add a shellQuote helper that POSIX single-quotes values and safely escapes embedded single quotes via value.replace(/'/g, "'\"'\"'").
Use shellQuote when interpolating nested workspace targetPath into inferred package manager commands in buildWorkspacePackageScriptCommand for npm, yarn, and pnpm so paths are quoted.
Use shellQuote for cd-based uv commands and for the Maven -f argument in inferWorkspaceTargetDetails so inferred cd and mvn -f invocations do not allow shell metacharacters to be evaluated.
Update tests in test/validation.test.ts to expect quoted nested paths and add a regression test that constructs a workspace directory containing a semicolon to assert the inferred command is quoted rather than executable as a shell fragment.

Ran the targeted unit tests with npm test -- test/validation.test.ts and the suite passed (1 file, 8 tests passed).
Ran static type checking with npm run typecheck and it completed successfully.

fix: shell-quote inferred workspace validation paths

c662cbc

ganesh47 added codex aardvark labels Apr 23, 2026 — with ChatGPT Codex Connector

Provide feedback