Avoid shell injection in tests (#22)

s0 · Sep 1, 2024 · b2cfce1 · b2cfce1
1 parent 3e95bf4
commit b2cfce1
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/src/test/integration/git.test.ts b/src/test/integration/git.test.ts
@@ -7,7 +7,7 @@ import {
   ROOT_TEST_BRANCH_PREFIX,
   log,
 } from "./env";
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { getOctokit } from "@actions/github";
 import { commitChangesFromRepo } from "../../git";
 import { getRefTreeQuery } from "../../github/graphql/queries";
@@ -163,8 +163,9 @@ describe("git", () => {
 
       // Clone the git repo locally using the git cli and child-process
       await new Promise<void>((resolve, reject) => {
-        const p = exec(
-          `git clone ${process.cwd()} repo-1`,
+        const p = execFile(
+          "git",
+          ["clone", process.cwd(), "repo-1"],
           { cwd: testDir },
           (error) => {
             if (error) {
@@ -218,8 +219,9 @@ describe("git", () => {
 
       // Clone the git repo locally usig the git cli and child-process
       await new Promise<void>((resolve, reject) => {
-        const p = exec(
-          `git clone ${process.cwd()} repo-2`,
+        const p = execFile(
+          "git",
+          ["clone", process.cwd(), "repo-2"],
           { cwd: testDir },
           (error) => {
             if (error) {