fix(utils): resolve command injection vulnerability in emptyFolder (4.x) (#5191)

mhassan1 · kobenguyent · kobenguyent · commit 59b6943779db · 2026-01-07T10:50:50.000+01:00
* fix(utils): remove incorrect `async` from `emptyFolder`

* fix(utils): resolve command injection vulnerability in `emptyFolder`

---------

Co-authored-by: kobenguyent &lt;7845001+kobenguyent@users.noreply.github.com&gt;
diff --git a/lib/utils.js b/lib/utils.js
@@ -479,7 +479,11 @@ export const isNotSet = function (obj) {
 }
 
 export const emptyFolder = async directoryPath => {
-  childProcess.execSync(`rm -rf ${directoryPath}/*`)
+  // Do not throw on non-existent directory, since it may be created later
+  if (!fs.existsSync(directoryPath)) return
+  for (const file of fs.readdirSync(directoryPath)) {
+    fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })
+  }
 }
 
 export const printObjectProperties = obj => {

Original file line number	Diff line number	Diff line change
`@@ -479,7 +479,11 @@ export const isNotSet = function (obj) {`
`479`	`479`	`}`
`480`	`480`
`481`	`481`	`export const emptyFolder = async directoryPath => {`
`482`		- childProcess.execSync(`rm -rf ${directoryPath}/*`)
	`482`	`+ // Do not throw on non-existent directory, since it may be created later`
	`483`	`+ if (!fs.existsSync(directoryPath)) return`
	`484`	`+ for (const file of fs.readdirSync(directoryPath)) {`
	`485`	`+ fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })`
	`486`	`+ }`
`483`	`487`	`}`
`484`	`488`
`485`	`489`	`export const printObjectProperties = obj => {`