[Aikido] AI Fix for Potential for OS command injection via child_process call #333
Conversation
Deploying demo-time with
|
| Latest commit: |
7325c61
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ab582147.demo-time.pages.dev |
| Branch Preview URL: | https://fix-aikido-security-sast-117.demo-time.pages.dev |
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
|
Replace shell command execution with
|
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
| } | ||
|
|
||
| if (platform === 'windows' && command.toLowerCase() === 'powershell') { | ||
| command = `${command} -File`; |
There was a problem hiding this comment.
On Windows, execFile treats inline args as part of the executable. Appending -File to command makes it look for an exe named "powershell -File", causing ENOENT. Consider keeping command as "powershell" and putting -File in args (e.g., ["-File", scriptPath.fsPath]).
- command = `${command} -File`;
-
- const args = [scriptPath.fsPath];
+
+ const args = platform === 'windows' && command.toLowerCase() === 'powershell'
+ ? ['-File', scriptPath.fsPath]
+ : [scriptPath.fsPath];🚀 Want me to fix this? Reply ex: "fix it for me".
This patch mitigates command injection by passing command arguments separately instead of using string concatenation.
Aikido used AI to generate this PR.
Low confidence: Aikido has tested similar fixes, which indicate the correct approach but may be incomplete. Further validation is necessary.