fix(security): potential arbitary code execution vulnerability (#36)

* fix(security): potential arbitary code execution vulnerability

sanitize all user input in zenodo uploader

fixes a medium-severity security vulnerability first identified by Snyk

* style: format

* chore: add shebang to zenodo shellscript

* ci(codeclimate): configure

* style: format

* fix(ci): stylelint plugin not working

* chore: remove manifest .vscode

* fix(ci): bye bye stylelint

* fix(ci): correct codeclimate config

specify exclude patterns

* fix(security): correct zenodo shellscript fail status

---------

Co-authored-by: quantum9Innovation <quantum9Innovation@users.noreply.github.com>

.codeclimate.yml

@@ -0,0 +1,31 @@
+plugins:
+  duplication:
+    enabled: true
+  eslint:
+    enabled: true
+  fixme:
+    enabled: true
+  git-legal:
+    enabled: true
+  markdownlint:
+    enabled: true
+  sass-lint:
+    enabled: true
+  shellcheck:
+    enabled: true
+    checks:
+      SC2086:
+        enabled: false
+  scss-lint:
+    enabled: true
+  tslint:
+    enabled: true
+  vint:
+    enabled: true
+exclude_patterns:
+  - "db/"
+  - "**/data.*"
+  - "dist/"
+  - "**/node_modules/"
+  - "**/spec/"
+  - "**/vendor/"

package-lock.json

@@ -29,12 +29,14 @@
         "@types/node": "^20",
         "@types/react": "^18",
         "@types/react-dom": "^18",
+        "@types/shell-escape": "^0.2.3",
         "autoprefixer": "^10.0.1",
         "eslint": "^8",
         "eslint-config-next": "14.1.0",
         "postcss": "^8",
         "prettier": "^3.2.5",
         "prettier-plugin-organize-imports": "^3.2.4",
+        "shell-escape": "^0.2.0",
         "tailwindcss": "^3.3.0",
         "typescript": "^5"
       },
@@ -1102,6 +1104,12 @@
       "integrity": "sha512-WZLiwShhwLRmeV6zH+GkbOFT6Z6VklCItrDioxUnv+u4Ll+8vKeFySoFyK/0ctcRpOmwAicELfmys1sDc/Rw+A==",
       "devOptional": true
     },
+    "node_modules/@types/shell-escape": {
+      "version": "0.2.3",
+      "resolved": "https://registry.npmjs.org/@types/shell-escape/-/shell-escape-0.2.3.tgz",
+      "integrity": "sha512-xZWkMuQkn1I20gEzhYRa4/t1pwZ8XiIkqGA1Iee1D2IgAUIRLr57nrgJgF2QmHEfkfVzOM59gi/4xp6V+Aq+4A==",
+      "dev": true
+    },
     "node_modules/@typescript-eslint/parser": {
       "version": "6.21.0",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-6.21.0.tgz",
@@ -4779,6 +4787,12 @@
         "node": ">=8"
       }
     },
+    "node_modules/shell-escape": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/shell-escape/-/shell-escape-0.2.0.tgz",
+      "integrity": "sha512-uRRBT2MfEOyxuECseCZd28jC1AJ8hmqqneWQ4VWUTgCAFvb3wKU1jLqj6egC4Exrr88ogg3dp+zroH4wJuaXzw==",
+      "dev": true
+    },
     "node_modules/side-channel": {
       "version": "1.0.5",
       "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.0.5.tgz",

package.json

@@ -34,11 +34,13 @@
     "@types/node": "^20",
     "@types/react": "^18",
     "@types/react-dom": "^18",
+    "@types/shell-escape": "^0.2.3",
     "autoprefixer": "^10.0.1",
     "eslint": "^8",
     "eslint-config-next": "14.1.0",
     "postcss": "^8",
     "prettier": "^3.2.5",
+    "shell-escape": "^0.2.0",
     "prettier-plugin-organize-imports": "^3.2.4",
     "tailwindcss": "^3.3.0",
     "typescript": "^5"

scripts/run.sh

@@ -1 +1,3 @@
-npx tsc zenodo.ts && node zenodo.js $1 $2
+#!/usr/bin/bash
+set -euo pipefail
+npx tsc --esModuleInterop zenodo.ts && node zenodo.js $1 $2

scripts/zenodo.ts

@@ -1,4 +1,5 @@
 import { execSync } from 'child_process'
+import shellescape from 'shell-escape'
 
 const TOKEN = process.env.ZENODO
 const filename = process.argv[2]
@@ -6,6 +7,8 @@ const path = process.argv[3]
 
 const run = (cmd: string): string | Buffer => {
   try {
+    // sanitize user input before running to prevent arbitrary code execution
+    cmd = shellescape(cmd.split(' '))
     const output = execSync(cmd, { stdio: 'pipe' })
     return output
   } catch (error) {