Security: use execFileSync instead of execSync with shell strings (#20655)

Replace execSync (which spawns a shell) with execFileSync (which invokes the binary directly with an argv array). This eliminates command injection risk from interpolated arguments. Co-authored-by: sirishacyd <sirishacyd@gmail.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-08 13:21:25 +00:00 · 2026-02-19 03:19:09 -08:00
parent ee6d0bd321
commit fb35635c10
2 changed files with 8 additions and 6 deletions
--- a/src/agents/date-time.ts
+++ b/src/agents/date-time.ts
@@ -1,4 +1,4 @@
-import { execSync } from "node:child_process";
+import { execFileSync } from "node:child_process";

 export type TimeFormatPreference = "auto" | "12" | "24";
 export type ResolvedTimeFormat = "12" | "24";
@@ -96,9 +96,10 @@ export function withNormalizedTimestamp<T extends Record<string, unknown>>(
 function detectSystemTimeFormat(): boolean {
  if (process.platform === "darwin") {
    try {
-      const result = execSync("defaults read -g AppleICUForce24HourTime 2>/dev/null", {
+      const result = execFileSync("defaults", ["read", "-g", "AppleICUForce24HourTime"], {
        encoding: "utf8",
        timeout: 500,
+        stdio: ["pipe", "pipe", "pipe"],
      }).trim();
      if (result === "1") {
        return true;
@@ -113,8 +114,9 @@ function detectSystemTimeFormat(): boolean {

  if (process.platform === "win32") {
    try {
-      const result = execSync(
-        'powershell -Command "(Get-Culture).DateTimeFormat.ShortTimePattern"',
+      const result = execFileSync(
+        "powershell",
+        ["-Command", "(Get-Culture).DateTimeFormat.ShortTimePattern"],
        { encoding: "utf8", timeout: 1000 },
      ).trim();
      if (result.startsWith("H")) {