From 1ff617703c2533f9775387f8a3193bfe8eb27ce1 Mon Sep 17 00:00:00 2001
From: Kacper <kacperlachowiczwp.pl@wp.pl>
Date: Wed, 24 Dec 2025 01:41:05 +0100
Subject: [PATCH] fix: Update fetchLinkedPRs to prevent shell injection
 vulnerabilities

- Modified the fetchLinkedPRs function to use JSON.stringify for the request body, ensuring safe input handling when spawning the GitHub CLI command.
- Changed the command to read the query from stdin using the --input flag, enhancing security against shell injection risks.
---
 apps/server/src/routes/github/routes/list-issues.ts | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/server/src/routes/github/routes/list-issues.ts b/apps/server/src/routes/github/routes/list-issues.ts
index 0065d113..c4ed58f1 100644
--- a/apps/server/src/routes/github/routes/list-issues.ts
+++ b/apps/server/src/routes/github/routes/list-issues.ts
@@ -111,8 +111,10 @@ async function fetchLinkedPRs(
 
     try {
       // Use spawn with stdin to avoid shell injection vulnerabilities
+      // --input - reads the JSON request body from stdin
+      const requestBody = JSON.stringify({ query });
       const response = await new Promise<Record<string, unknown>>((resolve, reject) => {
-        const gh = spawn('gh', ['api', 'graphql', '-f', 'query=-'], {
+        const gh = spawn('gh', ['api', 'graphql', '--input', '-'], {
           cwd: projectPath,
           env: execEnv,
         });
@@ -133,7 +135,7 @@ async function fetchLinkedPRs(
           }
         });
 
-        gh.stdin.write(query);
+        gh.stdin.write(requestBody);
         gh.stdin.end();
       });