Properly escape and quote git tag names before passing it as shell parameter (#1065)

* add shescape library and properly escape and quote tag name before passing it to a shell

* add mising @param

Author: netomi

lib/resolveExtension.js

@@ -6,13 +6,16 @@ const readVSIXPackage = require("@vscode/vsce/out/zip").readVSIXPackage;
 const download = require("download");
 const exec = require("./exec");
 const { repoPath } = require("./constants");
+const shescape = require("shescape");
 
 const token = process.env.GITHUB_TOKEN;
 if (!token) {
     console.warn("GITHUB_TOKEN env var is not set. Skipping lookup from releases");
 }
 const octokit = new Octokit({ auth: token });
 
+const shellEscape = new shescape.Shescape({ shell: true });
+
 /**
  *
  * @param {Readonly<import('../types').Extension>} extension
@@ -85,7 +88,7 @@ exports.resolveExtension = async function ({ id, repository, location }, ms) {
      */
     async function resolveVersion(ref) {
         try {
-            await exec(`git reset --hard ${ref} --quiet`, { cwd: repoPath, quiet: true });
+            await exec(`git reset --hard ${shellEscape.quote(ref)} --quiet`, { cwd: repoPath, quiet: true });
             const manifest = JSON.parse(await fs.promises.readFile(packagePath, "utf-8"));
             if (`${manifest.publisher}.${manifest.name}`.toLowerCase() !== id.toLowerCase()) {
                 return undefined;

package.json

@@ -44,6 +44,7 @@
     "ovsx": "latest",
     "prettier": "^3.2.5",
     "semver": "^7.1.3",
+    "shescape": "^2.1.7",
     "xml2js": "^0.6.2",
     "yauzl-promise": "^4.0.0"
   },

scripts/publish-extension.js

@@ -34,6 +34,7 @@ async function bufferStream(stream) {
  *
  * @param {string} packagePath
  * @param {(name: string) => boolean} filter
+ * @param {boolean} unique
  * @returns {Promise<Map<string, Buffer>>}
  */
 async function readZip(packagePath, filter, unique) {