resolve code scanning vulnerability alerts (#1331)

* fix(cli): resolve alerts for code scanning

* fix(cli): add fix for Util code scanning problem for shell command

* fix(cli): add spawnSync and fix tests

* fix(cli): resolve alerts for code scanning in package manager and fix tests

* fix(cli): remove getSecureRandomNumber function

* fix(cli): add spawnSync function to Util

---------

Co-authored-by: Hristo Hristov <[email protected]>

Author: Hristo313

packages/core/packages/PackageManager.ts

@@ -1,4 +1,4 @@
-import { exec, spawnSync } from "child_process";
+import { exec } from "child_process";
 import * as path from "path";
 import { TemplateManager } from "../../cli/lib/TemplateManager";
 import { Config, FS_TOKEN, IFileSystem, ProjectTemplate } from "../types";
@@ -123,18 +123,18 @@ export class PackageManager {
 	}
 
 	public static removePackage(packageName: string, verbose: boolean = false): boolean {
-		let command: string;
 		const managerCommand = this.getManager();
+		let args: string[];
 		switch (managerCommand) {
 			case "npm":
 			/* passes through */
 			default:
-				command = `${managerCommand} uninstall ${packageName} --quiet --save`;
+				args = ['uninstall', packageName, '--quiet', '--save'];
 				break;
 		}
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.execSync(command, { stdio: "pipe", encoding: "utf8" });
+			Util.spawnSync(managerCommand, args, { stdio: "pipe", encoding: "utf8" });
 		} catch (error) {
 			Util.log(`Error uninstalling package ${packageName} with ${managerCommand}`);
 			if (verbose) {
@@ -225,7 +225,7 @@ export class PackageManager {
 		const fullPackageRegistry = config.igPackageRegistry;
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.execSync(`npm whoami --registry=${fullPackageRegistry}`, { stdio: "pipe", encoding: "utf8" });
+			Util.spawnSync('npm', ['whoami', `--registry=${fullPackageRegistry}`], { stdio: 'pipe', encoding: 'utf8' });
 		} catch (error) {
 			// try registering the user:
 			Util.log(
@@ -247,14 +247,14 @@ export class PackageManager {
 				process.stdin.setRawMode(true);
 			}
 			const cmd = /^win/.test(process.platform) ? "npm.cmd" : "npm"; //https://github.com/nodejs/node/issues/3675
-			const login = spawnSync(cmd,
+			const login = Util.spawnSync(cmd,
 				["adduser", `--registry=${fullPackageRegistry}`, `--scope=@infragistics`, `--always-auth`],
 				{ stdio: "inherit" }
 			);
 			if (login?.status === 0) {
 				//make sure scope is configured:
 				try {
-					Util.execSync(`npm config set @infragistics:registry ${fullPackageRegistry}`);
+					Util.spawnSync('npm', ['config', 'set', `@infragistics:registry`, fullPackageRegistry]);
 					return true;
 				} catch (error) {
 					return false;

packages/core/util/Util.ts

@@ -1,5 +1,5 @@
 import chalk from "chalk";
-import { execSync, ExecSyncOptions } from "child_process";
+import { execSync, ExecSyncOptions, spawnSync, SpawnSyncOptions } from "child_process";
 import * as fs from "fs";
 import * as glob from "glob";
 import * as path from "path";
@@ -282,6 +282,11 @@ export class Util {
 		}
 
 		for (const key of Object.keys(source)) {
+			// Skip keys that can affect the prototype of objects to avoid prototype pollution vulnerabilities
+			if (key === "__proto__" || key === "constructor") {
+				continue;
+			}
+
 			const sourceKeyIsArray = Array.isArray(source[key]);
 			const targetHasThisKey = target.hasOwnProperty(key);
 
@@ -346,6 +351,32 @@ export class Util {
 		}
 	}
 
+	/**
+     * Execute synchronous command with options using spawnSync
+     * @param command Command to be executed
+     * @param args Command arguments
+     * @param options Command options
+     * @throws {Error} On non-zero exit code. Error has 'status', 'signal', 'output', 'stdout', 'stderr'
+     */
+	public static spawnSync(command: string, args: string[], options?: SpawnSyncOptions) {
+		try {
+			return spawnSync(command, args, options);
+		} catch (error) {
+			// Handle potential process interruption
+			// Check if the error output ends with "^C"
+			if (error.stderr && error.stderr.toString().endsWith() === "^C") {
+				return process.exit();
+			}
+
+			// Handle specific exit codes for different signals
+			if (error.status === 3221225786 || error.status > 128) {
+				return process.exit();
+			}
+
+			throw error;
+		}
+	}
+
 	/**
 	 * Initialize git for a project, located in the provided directory and commit it.
 	 * @param parentRoot Parent directory root of the project.
@@ -356,7 +387,8 @@ export class Util {
 			const options: any = { cwd: path.join(parentRoot, projectName), stdio: [process.stdin, "ignore", "ignore"] };
 			Util.execSync("git init", options);
 			Util.execSync("git add .", options);
-			Util.execSync("git commit -m " + "\"Initial commit for project: " + projectName + "\"", options);
+			const commitMessage = `"Initial commit for project: ${projectName}"`;
+			Util.spawnSync('git', ['commit', '-m', commitMessage], options);
 			Util.log(Util.greenCheck() + " Git Initialized and Project '" + projectName + "' Committed");
 		} catch (error) {
 			Util.error("Git initialization failed. Install Git in order to automatically commit the project.", "yellow");

spec/acceptance/help-spec.ts

@@ -1,5 +1,4 @@
-import { GoogleAnalytics } from "@igniteui/cli-core";
-import { spawnSync } from "child_process";
+import { GoogleAnalytics, Util } from "@igniteui/cli-core";
 import * as cli from "../../packages/cli/lib/cli";
 
 const execLocation = "packages/cli/bin/execute.js";
@@ -37,7 +36,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the new command", async () => {
-		const child = spawnSync("node", [execLocation, "new", "--help"], {
+		const child = Util.spawnSync("node", [execLocation, "new", "--help"], {
 			encoding: "utf-8"
 		});
 		const originalNewHelpText: string = `Options:
@@ -60,7 +59,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the config sub-commands", async () => {
-		const child = spawnSync("node", [execLocation, "config", "--help"], {
+		const child = Util.spawnSync("node", [execLocation, "config", "--help"], {
 			encoding: "utf-8"
 		});
 		const originalNewHelpText: string = `Commands:
@@ -80,7 +79,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the generate sub-commands", async () => {
-		const child = spawnSync("node", [execLocation, "generate", "--help"], {
+		const child = Util.spawnSync("node", [execLocation, "generate", "--help"], {
 			encoding: "utf-8"
 		});
 		const originalNewHelpText: string = `Commands:
@@ -97,7 +96,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the generate template sub-commands", async () => {
-		const child = spawnSync("node", [execLocation, "g", "t", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "g", "t", "-h"], {
 			encoding: "utf-8"
 		});
 		const originalNewHelpText: string = `
@@ -119,7 +118,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the list command", async () => {
-		const child = spawnSync("node", [execLocation, "list", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "list", "-h"], {
 			encoding: "utf-8"
 		});
 		const originalNewHelpText: string = `
@@ -137,7 +136,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the quickstart command", async () => {
-		const child = spawnSync("node", [execLocation, "quickstart", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "quickstart", "-h"], {
 			encoding: "utf-8"
 		});
 
@@ -156,7 +155,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the test command", async () => {
-		const child = spawnSync("node", [execLocation, "test", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "test", "-h"], {
 			encoding: "utf-8"
 		});
 
@@ -174,7 +173,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the doc command", async () => {
-		const child = spawnSync("node", [execLocation, "doc", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "doc", "-h"], {
 			encoding: "utf-8"
 		});
 
@@ -192,7 +191,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the build command", async () => {
-		const child = spawnSync("node", [execLocation, "build", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "build", "-h"], {
 			encoding: "utf-8"
 		});
 
@@ -210,7 +209,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the start command", async () => {
-		const child = spawnSync("node", [execLocation, "start", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "start", "-h"], {
 			encoding: "utf-8"
 		});
 
@@ -228,7 +227,7 @@ describe("Help command", () => {
 	});
 
 	it("should show help for the upgrade command", async () => {
-		const child = spawnSync("node", [execLocation, "upgrade-packages", "-h"], {
+		const child = Util.spawnSync("node", [execLocation, "upgrade-packages", "-h"], {
 			encoding: "utf-8"
 		});
 

spec/unit/new-spec.ts

@@ -284,12 +284,24 @@ describe("Unit - New command", () => {
 			getProjectLibrary: mockProjLib
 		});
 
+		spyOn(Util, "spawnSync").and.returnValues({
+			status: 0,
+			pid: 0,
+			output: [],
+			stdout: "",
+			stderr: "",
+			signal: "SIGABRT"
+		});
+
 		await newCmd.handler({ name: projectName, framework: "jq", _: ["new"], $0: "new" });
 
 		expect(Util.execSync).toHaveBeenCalledWith("git init", jasmine.any(Object));
 		expect(Util.execSync).toHaveBeenCalledWith("git add .", jasmine.any(Object));
-		expect(Util.execSync).toHaveBeenCalledWith("git commit -m " + "\"Initial commit for project: " + projectName + "\"",
-			jasmine.any(Object));
+		expect(Util.spawnSync).toHaveBeenCalledWith(
+			"git",
+			['commit', '-m', `"Initial commit for project: ${projectName}"`],
+			{ cwd: path.join(process.cwd(), projectName), stdio: [process.stdin, "ignore", "ignore"] }
+		);
 		expect(Util.log).toHaveBeenCalledWith(
 			jasmine.stringMatching("Git Initialized and Project '" + projectName + "' Committed")
 		);