From c2b59038aeb15d33447be76a6040b725820df115 Mon Sep 17 00:00:00 2001 From: xuewenjie Date: Thu, 18 Dec 2025 17:32:11 +0800 Subject: [PATCH] fix: escape backslashes in PowerShell command strings (CodeQL security fix) Fixes CodeQL security alert: Incomplete string escaping or encoding - Add escapeForPowerShellDoubleQuotes() helper function - Properly escape both backslashes and double quotes in correct order - Prevents command injection vulnerabilities in Windows process detection - All existing tests pass --- packages/core/src/ide/process-utils.ts | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/packages/core/src/ide/process-utils.ts b/packages/core/src/ide/process-utils.ts index 7f0b3e8e..d4673f1b 100644 --- a/packages/core/src/ide/process-utils.ts +++ b/packages/core/src/ide/process-utils.ts @@ -14,6 +14,18 @@ const execFileAsync = promisify(execFile); const MAX_TRAVERSAL_DEPTH = 32; +/** + * Escapes a string for safe use inside PowerShell double-quoted strings. + * Must escape backslashes first, then double quotes. + * + * @param str The string to escape. + * @returns The escaped string safe for PowerShell double-quoted context. + */ +function escapeForPowerShellDoubleQuotes(str: string): string { + // Order matters: escape backslashes first, then double quotes + return str.replace(/\\/g, '\\\\').replace(/"/g, '\\"'); +} + /** * Fetches the parent process ID, name, and command for a given process ID. * @@ -39,7 +51,7 @@ async function getProcessInfo(pid: number): Promise<{ ].join(' '); const { stdout } = await execAsync( - `powershell -NoProfile -NonInteractive -Command "${powershellCommand.replace(/"/g, '\\"')}"`, + `powershell -NoProfile -NonInteractive -Command "${escapeForPowerShellDoubleQuotes(powershellCommand)}"`, ); const output = stdout.trim(); if (!output) return { parentPid: 0, name: '', command: '' };