orcs-oss/orcs-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: address remaining CodeQL alerts (#332)

Browse Source
This commit is contained in:
Vasanth T
2026-04-04 17:58:35 +05:30
committed by GitHub
parent cdc92d16e4
commit a0bdab24c0
4 changed files with 134 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/utils/execFileNoThrow.test.ts Normal file
View File

@@ -0,0 +1,25 @@
import { expect, test } from 'bun:test'
import { execFileNoThrowWithCwd } from './execFileNoThrow.js'
test('execFileNoThrowWithCwd rejects shell-like executable names', async () => {
const result = await execFileNoThrowWithCwd('openclaude && whoami', [])
expect(result.code).toBe(1)
expect(result.error).toContain('Unsafe executable')
})
test('execFileNoThrowWithCwd rejects cwd values with control characters', async () => {
const result = await execFileNoThrowWithCwd(process.execPath, ['--version'], {
cwd: 'C:\\repo\nmalicious',
})
expect(result.code).toBe(1)
expect(result.error).toContain('Unsafe working directory')
})
test('execFileNoThrowWithCwd rejects arguments with control characters', async () => {
const result = await execFileNoThrowWithCwd(process.execPath, ['--version\nmalicious'])
expect(result.code).toBe(1)
expect(result.error).toContain('Unsafe argument')
})