addons-frontend icon indicating copy to clipboard operation
addons-frontend copied to clipboard
verified publisher icon mozilla

fix(create-locales): shell command built from environment values

Open odaysec opened this issue 6 months ago • 1 comments

https://github.com/mozilla/addons-frontend/blob/1cd93c99caaf3bb1c6228b3d63c3b62755d323ac/bin/create-locales#L15-L15 https://github.com/mozilla/addons-frontend/blob/1cd93c99caaf3bb1c6228b3d63c3b62755d323ac/bin/create-locales#L37-L38

Fix the issue, we will replace the use of shell.exec with a safer alternative that avoids shell interpretation of dynamic values. Specifically, we will use child_process.execFileSync, which allows us to pass arguments to the command as an array, ensuring that special characters in the arguments are not interpreted by the shell.

  1. Replace the shell.exec call on line 37 with a call to child_process.execFileSync.
  2. Import the child_process module at the top of the file if it is not already imported.
  3. Construct the command and its arguments separately, passing the arguments as an array to execFileSync.

odaysec avatar Jun 01 '25 09:06 odaysec

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 98.29%. Comparing base (1cd93c9) to head (6f78a7f). :warning: Report is 328 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #13607   +/-   ##
=======================================
  Coverage   98.29%   98.29%           
=======================================
  Files         268      268           
  Lines       10644    10644           
  Branches     3263     3263           
=======================================
  Hits        10462    10462           
  Misses        169      169           
  Partials       13       13

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov[bot] avatar Jun 01 '25 10:06 codecov[bot]

We missed this among some other PRs - if this is a fixing an already filed issue please link to it in the description; if this is a problem that doesn't have an issue yet, please file one at https://github.com/addons/issue

eviljeff avatar Jul 21 '25 10:07 eviljeff