From b00568176c5751b822ea287638cc91b2be3d6514 Mon Sep 17 00:00:00 2001 From: Kacper Date: Sun, 21 Dec 2025 15:07:38 +0100 Subject: [PATCH] refactor(platform): improve node-finder security and documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add null byte validation to shell command output (security hardening) - Expand VERSION_DIR_PATTERN comment to explain intentional pre-release support 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- libs/platform/src/node-finder.ts | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/libs/platform/src/node-finder.ts b/libs/platform/src/node-finder.ts index 9c29c308..399b38ee 100644 --- a/libs/platform/src/node-finder.ts +++ b/libs/platform/src/node-finder.ts @@ -10,7 +10,11 @@ import fs from 'fs'; import path from 'path'; import os from 'os'; -/** Pattern to match version directories (e.g., "v18.17.0", "18.17.0") */ +/** + * Pattern to match version directories (e.g., "v18.17.0", "18.17.0", "v18") + * Intentionally permissive to match pre-release versions (v18.17.0-beta, v18.17.0-rc1) + * since localeCompare with numeric:true handles sorting correctly + */ const VERSION_DIR_PATTERN = /^v?\d+/; /** Result of finding Node.js executable */ @@ -236,7 +240,8 @@ function findNodeViaShell( // 'where' on Windows can return multiple lines, take the first const nodePath = result.split(/\r?\n/)[0]; - if (nodePath && fs.existsSync(nodePath)) { + // Validate path: check for null bytes (security) and existence + if (nodePath && !nodePath.includes('\x00') && fs.existsSync(nodePath)) { return { nodePath, source: platform === 'win32' ? 'where' : 'which',