From ad3cde25b29b2d09dd83309be91dba0438eba9ab Mon Sep 17 00:00:00 2001
From: Narek Hovhannisyan <narhovhannisian@gmail.com>
Date: Thu, 5 Dec 2024 12:56:54 +0400
Subject: [PATCH] fix(util): tune npm to escape injection on shell commands

---
 src/if-check/util/npm.ts | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/if-check/util/npm.ts b/src/if-check/util/npm.ts
index 9717819f..18a4dcac 100644
--- a/src/if-check/util/npm.ts
+++ b/src/if-check/util/npm.ts
@@ -56,18 +56,25 @@ export const executeCommands = async (manifest: string, cwd: boolean) => {
     sanitizedManifest,
   ];
 
-  const fullCommand = [
-    ...ifEnvCommand,
-    '&&',
-    ...ifRunCommand,
-    '&&',
-    ...ttyCommand,
-    '|',
-    ...ifDiffCommand,
-  ].join(' ');
+  // Execute ifEnvCommand
+  await execPromise(ifEnvCommand.join(' '), {
+    cwd: process.env.CURRENT_DIR || process.cwd(),
+  });
+
+  // Execute ifRunCommand
+  await execPromise(ifRunCommand.join(' '), {
+    cwd: process.env.CURRENT_DIR || process.cwd(),
+  });
+
+  // Execute ttyCommand and capture its output
+  const ttyResult = await execPromise(ttyCommand.join(' '), {
+    cwd: process.env.CURRENT_DIR || process.cwd(),
+  });
 
-  // Execute the full command
-  await execPromise(fullCommand, {
+  // Pipe ttyResult into ifDiffCommand
+  const diffCommand = ifDiffCommand.join(' ');
+  const tty = ttyResult && ttyResult.stdout.trim();
+  await execPromise(`${tty ? `${tty} | ` : ''}${diffCommand}`, {
     cwd: process.env.CURRENT_DIR || process.cwd(),
   });