BUG: Potential command injection from langcc's arguments

[Giles-one]

Your implementation of langcc is elegant and beautifully crafted.

However, from a security perspective, there's a command injection vulnerability CWE-78 in how langcc handles command-line arguments.

In the source code, concatenating cmds into a single string cmd and passing it to system(cmd) creates a command injection risk.

• Proof of Concept:

(langcc) $ ./deps_ubuntu.sh && make -j 112
(langcc) $ build/langcc -i src examples/basic/basic.lang '$(echo hello > /tmp/hack)'
...
(langcc) $ cat /tmp/hack
hello

This demonstrates the vulnerability - the injected command echo hello > /tmp/hack is executed by langcc, as verified by cat /tmp/hack

• Suggested Fix:

The vulnerability can be fixed by replacing system() with execvp(). Here's a patch.txt. patch.txt