mirror of
https://github.com/AutoMaker-Org/automaker.git
synced 2026-03-17 10:03:08 +00:00
8ed2fa07a0
Fix multiple command injection and security vulnerabilities in the worktree initialization script system: **Critical Fixes:** - Add branch name validation to prevent command injection in create/delete endpoints - Replace string interpolation with array-based command execution using spawnProcess - Implement safe environment variable allowlist to prevent credential exposure - Add script content validation with 1MB size limit and dangerous pattern detection **Code Quality:** - Centralize execGitCommand helper in common.ts using @automaker/platform's spawnProcess - Remove duplicate isGitRepo implementation, standardize imports to @automaker/git-utils - Follow DRY principle by reusing existing platform utilities - Add comprehensive JSDoc documentation with security examples This addresses 6 critical/high severity vulnerabilities identified in security audit: 1. Command injection via unsanitized branch names (delete.ts) 2. Command injection via unsanitized branch names (create.ts) 3. Missing branch validation in init script execution 4. Environment variable exposure (ANTHROPIC_API_KEY and other secrets) 5. Path injection via command substitution 6. Arbitrary script execution without content limits Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>