Avoid shell interpretation of gpg command

This provides the shell command with the arguments separated to avoid interpretation by the shell. fixes: https://github.com/codecov/test-results-action/security/code-scanning/3
codecov · Oct 8, 2024 · 98d2f78 · 98d2f78
1 parent 7c17a47
commit 98d2f78
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 18 deletions.
diff --git a/dist/index.js b/dist/index.js
@@ -32363,32 +32363,30 @@ const verify = (filename, platform, version, verbose, failCi) => __awaiter(void
             }
         });
         const verifySignature = () => __awaiter(void 0, void 0, void 0, function* () {
-            const command = [
-                'gpg',
+            const args = [
                 '--logger-fd',
                 '1',
                 '--verify',
                 external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
                 external_node_path_namespaceObject.join(__dirname, `${uploaderName}.SHA256SUM`),
-            ].join(' ');
+            ];
             try {
-                yield (0,external_node_child_process_namespaceObject.execSync)(command, { stdio: 'inherit' });
+                yield (0,external_node_child_process_namespaceObject.spawnSync)('gpg', args, { stdio: 'inherit' });
             }
             catch (err) {
                 setFailure(`Codecov: Error verifying gpg signature: ${err.message}`, failCi);
             }
         });
         const importKey = () => __awaiter(void 0, void 0, void 0, function* () {
-            const command = [
-                'gpg',
+            const args = [
                 '--logger-fd',
                 '1',
                 '--no-default-keyring',
                 '--import',
                 external_node_path_namespaceObject.join(__dirname, 'pgp_keys.asc'),
-            ].join(' ');
+            ];
             try {
-                yield (0,external_node_child_process_namespaceObject.execSync)(command, { stdio: 'inherit' });
+                yield (0,external_node_child_process_namespaceObject.spawnSync)('gpg', args, { stdio: 'inherit' });
             }
             catch (err) {
                 setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);

diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/validate.ts b/src/validate.ts
@@ -1,4 +1,4 @@
-import {execSync} from 'node:child_process';
+import {spawnSync} from 'node:child_process';
 import * as crypto from 'node:crypto';
 import * as fs from 'node:fs';
 import * as path from 'node:path';
@@ -77,17 +77,16 @@ const verify = async (
     };
 
     const verifySignature = async () => {
-      const command = [
-        'gpg',
+      const args = [
         '--logger-fd',
         '1',
         '--verify',
         path.join(__dirname, `${uploaderName}.SHA256SUM.sig`),
         path.join(__dirname, `${uploaderName}.SHA256SUM`),
-      ].join(' ');
+      ];
 
       try {
-        await execSync(command, {stdio: 'inherit'});
+        await spawnSync('gpg', args, {stdio: 'inherit'});
       } catch (err) {
         setFailure(
             `Codecov: Error verifying gpg signature: ${err.message}`,
@@ -97,17 +96,16 @@ const verify = async (
     };
 
     const importKey = async () => {
-      const command = [
-        'gpg',
+      const args = [
         '--logger-fd',
         '1',
         '--no-default-keyring',
         '--import',
         path.join(__dirname, 'pgp_keys.asc'),
-      ].join(' ');
+      ];
 
       try {
-        await execSync(command, {stdio: 'inherit'});
+        await spawnSync('gpg', args, {stdio: 'inherit'});
       } catch (err) {
         setFailure(`Codecov: Error importing gpg key: ${err.message}`, failCi);
       }