Fix command injection

2026-05-26 12:10:49 +00:00 · 2025-07-18 11:15:21 +02:00 · 2025-07-18 11:15:21 +02:00 · 41bf3252d9
commit 41bf3252d9
parent 8ffb0191f5
11 changed files with 116 additions and 29 deletions
--- a/src/shell-integration/supported-shells/bash.js
+++ b/src/shell-integration/supported-shells/bash.js
@ -1,9 +1,9 @@
 import {
  addLineToFile,
  doesExecutableExistOnSystem,
-  execAndGetOutput,
  removeLinesMatchingPattern,
 } from "../helpers.js";
+import { execSync } from "child_process";

 const shellName = "Bash";
 const executableName = "bash";
@ -14,7 +14,7 @@ function isInstalled() {
 }

 function teardown() {
-  const startupFile = execAndGetOutput(startupFileCommand, executableName);
+  const startupFile = getStartupFile();

  // Removes all aliases starting with "alias npm=", "alias npx=", or "alias yarn="
  // This will remove the safe-chain aliases for npm, npx, and yarn commands.
@ -24,7 +24,7 @@ function teardown() {
 }

 function setup(tools) {
-  const startupFile = execAndGetOutput(startupFileCommand, executableName);
+  const startupFile = getStartupFile();
  teardown();

  for (const { tool, aikidoCommand } of tools) {
@ -37,6 +37,19 @@ function setup(tools) {
  return true;
 }

+function getStartupFile() {
+  try {
+    return execSync(startupFileCommand, {
+      encoding: "utf8",
+      shell: executableName,
+    }).trim();
+  } catch (error) {
+    throw new Error(
+      `Command failed: ${startupFileCommand}. Error: ${error.message}`
+    );
+  }
+}
+
 export default {
  name: shellName,
  isInstalled,