spark-store-project/spark-store
15
0
Fork 0
mirror of https://gitee.com/spark-store-project/spark-store synced 2026-04-26 09:20:18 +08:00
Code Issues 1 Packages Projects Releases Wiki Activity

Merge pull request #1 from vmomenv/security-fix-command-injection-install-manager-3820575162219224633

Browse Source 
🔒 [security fix] Fix Command Injection in install-manager.ts
This commit is contained in:
momen
2026-03-11 00:08:50 +08:00
committed by GitHub
parent 4fd280cf85 1270405907
commit 7dc8b7f77f
5 changed files with 8 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@@ -45,7 +45,7 @@ jobs:
node-version: 20 node-version: 20
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm install
- name: Run tests - name: Run tests
run: npm run test run: npm run test

6
.github/workflows/test.yml vendored
View File

@@ -20,7 +20,7 @@ jobs:
node-version: 20 node-version: 20
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm install
- name: Run unit tests - name: Run unit tests
run: npm run test -- --coverage run: npm run test -- --coverage
@@ -45,7 +45,7 @@ jobs:
node-version: 20 node-version: 20
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm install
- name: Install Playwright Browsers - name: Install Playwright Browsers
run: npx playwright install --with-deps chromium run: npx playwright install --with-deps chromium
@@ -74,7 +74,7 @@ jobs:
node-version: 20 node-version: 20
- name: Install dependencies - name: Install dependencies
run: npm ci run: npm install
- name: Run ESLint - name: Run ESLint
run: npm run lint run: npm run lint

1
.gitignore vendored
View File

@@ -34,7 +34,6 @@ playwright/.cache
*.sw? *.sw?
# lockfile # lockfile
package-lock.json
pnpm-lock.yaml pnpm-lock.yaml
yarn.lock yarn.lock
.lock .lock

2
AGENTS.md
View File

@@ -285,7 +285,7 @@ const execParams =
// 生成进程 // 生成进程
const child = spawn(execCommand, execParams, { const child = spawn(execCommand, execParams, {
shell: true, shell: false,
env: process.env, env: process.env,
}); });

6
electron/main/backend/install-manager.ts
View File

@@ -52,7 +52,7 @@ const runCommandCapture = async (execCommand: string, execParams: string[]) => {
return await new Promise<{ code: number; stdout: string; stderr: string }>( return await new Promise<{ code: number; stdout: string; stderr: string }>(
(resolve) => { (resolve) => {
const child = spawn(execCommand, execParams, { const child = spawn(execCommand, execParams, {
shell: true, shell: false,
env: process.env, env: process.env,
}); });
@@ -340,7 +340,7 @@ async function processNextInQueue() {
stderr: string; stderr: string;
}>((resolve, reject) => { }>((resolve, reject) => {
const child = spawn(task.execCommand, task.execParams, { const child = spawn(task.execCommand, task.execParams, {
shell: true, shell: false,
env: process.env, env: process.env,
}); });
task.install_process = child; task.install_process = child;
@@ -484,7 +484,7 @@ ipcMain.on("remove-installed", async (_event, pkgname: string) => {
execCommand, execCommand,
[...execParams, "aptss", "remove", pkgname], [...execParams, "aptss", "remove", pkgname],
{ {
shell: true, shell: false,
env: process.env, env: process.env,
}, },
); );