Fix code scanning alert - Shell command built from environment values

[josecelano]

Tracking issue for:

• https://github.com/Nautilus-Cyberneering/git-queue/security/code-scanning/4

The Gitrepo class contains a two calls to execSync:

• execSync(git -C ${this.getDirPath()} status, {stdio: 'ignore'})
• execSync(git -C ${this.dir.getDirPath()} log -n 0, {stdio: 'ignore'})

https://github.com/Nautilus-Cyberneering/git-queue/blob/main/src/git-repo.ts

Since we use a class for the dir we are safe against shell injection as long as the class validates the dir:

https://github.com/Nautilus-Cyberneering/git-queue/blob/d47bd36bdad81487862ae73f3464a89c1a4fe9bd/src/git-repo-dir.ts#L9

Anyway, we could refactor it in order to avoid getting alerts from Code scanning.

They suggest:

var cp = require("child_process"),
  path = require("path");
function cleanupTemp() {
  let cmd = "rm",
    args = ["-rf", path.join(__dirname, "temp")];
  cp.execFileSync(cmd, args); // GOOD
}

instead of:

var cp = require("child_process"),
  path = require("path");
function cleanupTemp() {
  let cmd = "rm -rf " + path.join(__dirname, "temp");
  cp.execSync(cmd); // BAD
}

For the Librarian we build a wrapper to execute console commands.

I think it's a good idea because:

• It forces the user to pass the arguments for the console command with other function parameters that could be escaped.
• We can check easily check that all console commands are executed via the wrapper.
• If the validation of the object fails or stops working we are still safe against shell injection because we escape the arguments. For example, if the dir class validation is accidentally removed the console command will fail with a malicious string.

[ivanramosnet]

Hi @josecelano At the moment I have refactored these two calls following the recommendation of Code scanning.

However, I do not fully understand the need to make a wrapper considering that passing the arguments in the way that code scanning suggests is enough to avoid the problem, in addition to the fact that at the moment there are only two calls.

[josecelano]

Hi @ivanramosnet I think having a wrapper has two main advantages:

• People would use only the GOOD way if the just copy and paste the wrapper. If you use that function somewhere else you could use the BAD way. Of course we should check that on the PR reviews but that leads to my second point ...
• If we have a wrapper we could easily identify when the original function is being used and detect potencial security problems.

Anyway, the Code Scanning is going to detect it anyway again and people could forget to check for the use of the original function. So maybe my argument is not strong enough, so keep it that way :-).

And please, if there are not tests for the methods using that function add them :-).

[josecelano]

By the way @ivanramosnet it returns a generic error when the dir does no exist:

 throw​ ​new​ ​Error​(​)

I think we should return a DirNotFoundError with the dir path. Actually the dir could be removed after instantiating the object.