Fix potential security vulnerability

Author: paleite

husky.config.js

@@ -40,31 +40,31 @@
     "typecheck": "tsc --project tsconfig.json"
   },
   "devDependencies": {
-    "@paleite/eslint-config": "^1.0.0",
-    "@paleite/eslint-config-base": "^1.0.0",
-    "@paleite/eslint-config-typescript": "^1.0.0",
-    "@paleite/jest-config": "^1.0.0",
-    "@paleite/prettier-config": "^1.0.0",
-    "@paleite/tsconfig-node16": "^1.0.0",
-    "@types/eslint": "^8.4.1",
-    "@types/jest": "^27.4.1",
+    "@paleite/eslint-config": "^1.0.2",
+    "@paleite/eslint-config-base": "^1.0.2",
+    "@paleite/eslint-config-typescript": "^1.0.2",
+    "@paleite/jest-config": "^1.0.2",
+    "@paleite/prettier-config": "^1.0.2",
+    "@paleite/tsconfig-node16": "^1.0.2",
+    "@types/eslint": "^8.4.2",
+    "@types/jest": "^28.1.1",
     "@types/node": "^16.11.26",
-    "@typescript-eslint/eslint-plugin": "^5.15.0",
-    "@typescript-eslint/parser": "^5.15.0",
-    "eslint": "^8.11.0",
+    "@typescript-eslint/eslint-plugin": "^5.27.0",
+    "@typescript-eslint/parser": "^5.27.0",
+    "eslint": "^8.17.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-files": "^1.0.0",
-    "eslint-plugin-import": "^2.25.4",
+    "eslint-plugin-import": "^2.26.0",
     "eslint-plugin-promise": "^6.0.0",
-    "husky": "^7.0.4",
-    "jest": "^27.5.1",
-    "jest-mock": "^27.5.1",
-    "lint-staged": "^12.3.7",
+    "husky": "^8.0.1",
+    "jest": "^28.1.0",
+    "jest-mock": "^28.1.0",
+    "lint-staged": "^13.0.0",
     "np": "^7.6.1",
     "pinst": "^3.0.0",
-    "prettier": "^2.6.0",
-    "ts-jest": "^27.1.3",
-    "typescript": "^4.6.2"
+    "prettier": "^2.6.2",
+    "ts-jest": "^28.0.4",
+    "typescript": "^4.7.3"
   },
   "peerDependencies": {
     "eslint": ">=6.7.0"

package.json

@@ -50,67 +50,70 @@ describe("getRangesForDiff", () => {
 
 describe("getDiffForFile", () => {
   it("should get the staged diff of a file", () => {
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(hunks));
+    mockedChildProcess.execFileSync.mockReturnValueOnce(Buffer.from(hunks));
     process.env.ESLINT_PLUGIN_DIFF_COMMIT = "1234567";
 
     const diffFromFile = getDiffForFile("./mockfile.js", true);
 
-    const expectedArguments =
-      'git diff --diff-algorithm=histogram --diff-filter=ACM -M100% --relative --staged --unified=0 "1234567"';
-    expect(
-      mockedChildProcess.execSync.mock.calls[
-        mockedChildProcess.execSync.mock.calls.length - 1
-      ][0]
-        .split(" -- ")
-        .shift()
-    ).toEqual(expectedArguments);
+    const expectedCommand = "git";
+    const expectedArgs =
+      'diff --diff-algorithm=histogram --diff-filter=ACM -M100% --relative --staged --unified=0 "1234567"';
+
+    const lastCall = mockedChildProcess.execFileSync.mock.calls.at(-1);
+    const [command, argsIncludingFile = []] = lastCall ?? [""];
+    const args = argsIncludingFile.slice(0, argsIncludingFile.length - 2);
+
+    expect(command).toBe(expectedCommand);
+    expect(args.join(" ")).toEqual(expectedArgs);
     expect(diffFromFile).toContain("diff --git");
     expect(diffFromFile).toContain("@@");
   });
 
   it("should hit the cached diff of a file", () => {
     jest.mock("child_process").resetAllMocks();
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(hunks));
+    mockedChildProcess.execFileSync.mockReturnValueOnce(Buffer.from(hunks));
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(0);
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(0);
     const diffFromFileA = getDiffForFile("./mockfileCache.js");
     const diffFromFileB = getDiffForFile("./mockfileCache.js");
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(1);
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(1);
     expect(diffFromFileA).toEqual(diffFromFileB);
 
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(hunks));
+    mockedChildProcess.execFileSync.mockReturnValueOnce(Buffer.from(hunks));
     getDiffForFile("./mockfileMiss.js");
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(2);
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(2);
   });
 });
 
 describe("hasCleanIndex", () => {
   it("returns false instead of throwing", () => {
     jest.mock("child_process").resetAllMocks();
-    mockedChildProcess.execSync.mockImplementationOnce(() => {
+    mockedChildProcess.execFileSync.mockImplementationOnce(() => {
       throw Error("mocked error");
     });
     expect(hasCleanIndex("")).toEqual(false);
-    expect(mockedChildProcess.execSync).toHaveBeenCalled();
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalled();
   });
 
   it("returns true otherwise", () => {
     jest.mock("child_process").resetAllMocks();
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(""));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(""));
     expect(hasCleanIndex("")).toEqual(true);
-    expect(mockedChildProcess.execSync).toHaveBeenCalled();
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalled();
   });
 });
 
 describe("getDiffFileList", () => {
   it("should get the list of staged files", () => {
     jest.mock("child_process").resetAllMocks();
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(diffFileList));
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(0);
+    mockedChildProcess.execFileSync.mockReturnValueOnce(
+      Buffer.from(diffFileList)
+    );
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(0);
     const fileListA = getDiffFileList();
     const fileListB = getDiffFileList();
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(1);
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(1);
     expect(fileListA).toEqual(
       ["file1", "file2", "file3"].map((p) => path.resolve(p))
     );
@@ -121,13 +124,15 @@ describe("getDiffFileList", () => {
 describe("getUntrackedFileList", () => {
   it("should get the list of untracked files", () => {
     jest.mock("child_process").resetAllMocks();
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(diffFileList));
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(0);
+    mockedChildProcess.execFileSync.mockReturnValueOnce(
+      Buffer.from(diffFileList)
+    );
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(0);
     const fileListA = getUntrackedFileList();
     const staged = false;
     const fileListB = getUntrackedFileList(staged);
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalledTimes(1);
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalledTimes(1);
     expect(fileListA).toEqual(
       ["file1", "file2", "file3"].map((p) => path.resolve(p))
     );
@@ -142,7 +147,9 @@ describe("getUntrackedFileList", () => {
 
 describe("getGitFileList", () => {
   it("should get the list of committed files", () => {
-    mockedChildProcess.execSync.mockReturnValueOnce(Buffer.from(diffFileList));
+    mockedChildProcess.execFileSync.mockReturnValueOnce(
+      Buffer.from(diffFileList)
+    );
     expect(getGitFileList()).toEqual(
       ["file1", "file2", "file3"].map((p) => path.resolve(p))
     );

src/git.test.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 import { Range } from "./Range";
 
 const RUNNING_INSIDE_VSCODE = process.env.VSCODE_CLI !== undefined;
+const COMMAND = "git";
 
 const sanitizeFilePath = (filePath: string) =>
   JSON.stringify(path.resolve(filePath));
@@ -20,8 +21,7 @@ const getCachedDiff = (filePath: string, staged: boolean) =>
 const getDiffForFile = (filePath: string, staged = false): string => {
   let diff = getCachedDiff(filePath, staged);
   if (RUNNING_INSIDE_VSCODE || diff === undefined) {
-    const command = [
-      "git",
+    const args = [
       "diff",
       "--diff-algorithm=histogram",
       "--diff-filter=ACM",
@@ -32,11 +32,12 @@ const getDiffForFile = (filePath: string, staged = false): string => {
       JSON.stringify(process.env.ESLINT_PLUGIN_DIFF_COMMIT ?? "HEAD"),
       "--",
       sanitizeFilePath(filePath),
-    ]
-      .filter(Boolean)
-      .join(" ");
+    ].reduce<string[]>(
+      (acc, cur) => (typeof cur === "string" ? [...acc, cur] : acc),
+      []
+    );
 
-    const result = child_process.execSync(command).toString();
+    const result = child_process.execFileSync(COMMAND, args).toString();
     setCachedDiff(filePath, staged, result);
     diff = result;
   }
@@ -47,8 +48,7 @@ const getDiffForFile = (filePath: string, staged = false): string => {
 let diffFileListCache: string[] | undefined;
 const getDiffFileList = (): string[] => {
   if (RUNNING_INSIDE_VSCODE || diffFileListCache === undefined) {
-    const command = [
-      "git",
+    const args = [
       "diff",
       "--diff-algorithm=histogram",
       "--diff-filter=ACM",
@@ -57,12 +57,10 @@ const getDiffFileList = (): string[] => {
       "--relative",
       "--staged",
       JSON.stringify(process.env.ESLINT_PLUGIN_DIFF_COMMIT ?? "HEAD"),
-    ]
-      .filter(Boolean)
-      .join(" ");
+    ];
 
     diffFileListCache = child_process
-      .execSync(command)
+      .execFileSync(COMMAND, args)
       .toString()
       .trim()
       .split("\n")
@@ -75,10 +73,10 @@ const getDiffFileList = (): string[] => {
 let gitFileListCache: string[] | undefined;
 const getGitFileList = (): string[] => {
   if (RUNNING_INSIDE_VSCODE || gitFileListCache === undefined) {
-    const command = ["git", "ls-files"].filter(Boolean).join(" ");
+    const args = ["ls-files"];
 
     gitFileListCache = child_process
-      .execSync(command)
+      .execFileSync(COMMAND, args)
       .toString()
       .trim()
       .split("\n")
@@ -89,19 +87,18 @@ const getGitFileList = (): string[] => {
 };
 
 const hasCleanIndex = (filePath: string): boolean => {
-  const command = [
-    "git",
+  const args = [
     "diff",
     "--quiet",
     "--relative",
     "--unified=0",
     "--",
     sanitizeFilePath(filePath),
-  ].join(" ");
+  ];
 
   let result = true;
   try {
-    child_process.execSync(command).toString();
+    child_process.execFileSync(COMMAND, args).toString();
   } catch (err: unknown) {
     result = false;
   }
@@ -114,12 +111,10 @@ const getUntrackedFileList = (staged = false): string[] => {
   if (staged) {
     untrackedFileListCache = [];
   } else if (RUNNING_INSIDE_VSCODE || untrackedFileListCache === undefined) {
-    const command = ["git", "ls-files", "--exclude-standard", "--others"]
-      .filter(Boolean)
-      .join(" ");
+    const args = ["ls-files", "--exclude-standard", "--others"];
 
     untrackedFileListCache = child_process
-      .execSync(command)
+      .execFileSync(COMMAND, args)
       .toString()
       .trim()
       .split("\n")

src/git.ts

@@ -3,7 +3,9 @@ import { mocked } from "jest-mock";
 
 jest.mock("child_process");
 const mockedChildProcess = mocked(child_process, true);
-mockedChildProcess.execSync.mockReturnValue(Buffer.from("line1\nline2\nline3"));
+mockedChildProcess.execFileSync.mockReturnValue(
+  Buffer.from("line1\nline2\nline3")
+);
 
 import { configs, processors } from "./index";
 

src/index.test.ts

@@ -10,7 +10,7 @@ import { postprocessArguments } from "./__fixtures__/postprocessArguments";
 
 jest.mock("child_process");
 const mockedChildProcess = mocked(child_process, true);
-mockedChildProcess.execSync.mockReturnValue(
+mockedChildProcess.execFileSync.mockReturnValue(
   Buffer.from('/mock filename ", ; .js')
 );
 jest.mock("./git", () => ({
@@ -27,7 +27,7 @@ describe("processors", () => {
     const validFilename = filename;
     const sourceCode = "/** Some source code */";
 
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(fixtureDiff));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(fixtureDiff));
 
     expect(diff.preprocess(sourceCode, validFilename)).toEqual([sourceCode]);
   });
@@ -36,29 +36,29 @@ describe("processors", () => {
     const validFilename = filename;
     const sourceCode = "/** Some source code */";
 
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(fixtureDiff));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(fixtureDiff));
 
     expect(diff.preprocess(sourceCode, validFilename)).toEqual([sourceCode]);
   });
 
   it("diff postprocess", () => {
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(fixtureDiff));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(fixtureDiff));
 
     expect(diff.postprocess(messages, filename)).toMatchSnapshot();
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalled();
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalled();
   });
 
   it("staged postprocess", () => {
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(fixtureStaged));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(fixtureStaged));
 
     expect(staged.postprocess(messages, filename)).toMatchSnapshot();
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalled();
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalled();
   });
 
   it("should report fatal errors", () => {
-    mockedChildProcess.execSync.mockReturnValue(Buffer.from(fixtureDiff));
+    mockedChildProcess.execFileSync.mockReturnValue(Buffer.from(fixtureDiff));
 
     const [[firstMessage, ...restMessage], ...restMessageArray] = messages;
     const messagesWithFatal: Linter.LintMessage[][] = [
@@ -69,7 +69,7 @@ describe("processors", () => {
     expect(diff.postprocess(messages, filename)).toHaveLength(2);
     expect(diff.postprocess(messagesWithFatal, filename)).toHaveLength(3);
 
-    expect(mockedChildProcess.execSync).toHaveBeenCalled();
+    expect(mockedChildProcess.execFileSync).toHaveBeenCalled();
   });
 });