fix(updateServer): uncontrolled command line via execFileSync

[odaysec]

workbox/demos/src/workbox-window/updateServer.js

Line 20 in e26d8d7

const {execSync} = require('child_process');

workbox/demos/src/workbox-window/updateServer.js

Lines 32 to 35 in e26d8d7

	execSync(
	`git checkout -- ./ && git pull -X theirs ${repoUrl} ` +
	`glitch && refresh && git branch -D glitch`,
	);

Fix the issue the code should avoid interpolating untrusted user input directly into a shell command. Instead, use safer alternatives such as execFileSync, which accepts arguments as an array and does not spawn a shell by default. This approach prevents command injection by treating each argument as a literal value rather than part of a shell command. Additionally, validate the repoUrl input to ensure it conforms to expected patterns (e.g., a valid URL or repository name).

Steps to fix:

1. Replace execSync with execFileSync to avoid spawning a shell.
2. Pass the repoUrl as an argument in an array to execFileSync.
3. Validate repoUrl to ensure it is a safe and expected value (e.g., using a regular expression or an allowlist).

Code that passes untrusted user input directly to child_process.exec or similar APIs that execute shell commands allows the user to execute malicious code.

References
shell-quote

---