milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 20:20:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add extra comments for regex clarification

Browse source
This commit is contained in:
Sander Declerck 2025-10-27 10:49:26 +01:00
parent f5f3b91b40
commit 0029a7e1c1
No known key found for this signature in database
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/safe-chain/src/utils/safeSpawn.js
View file

@ -52,7 +52,9 @@ function resolveCommandPath(command) {
} }
export async function safeSpawn(command, args, options = {}) { export async function safeSpawn(command, args, options = {}) {
// command should always be alphanumeric or _ or - to avoid injection // The command is always one of our supported package managers.
// It should always be alphanumeric or _ or -
// Reject any command names with suspicious characters
if (!/^[a-zA-Z0-9_-]+$/.test(command)) { if (!/^[a-zA-Z0-9_-]+$/.test(command)) {
throw new Error(`Invalid command name: ${command}`); throw new Error(`Invalid command name: ${command}`);
} }