fix: sanitize child_process call in themeUpdate.js...

[orbisai0security]

Summary

Address high severity security finding in Docs/scripts/themeUpdate.js.

Vulnerability

Field	Value
ID	javascript.lang.security.detect-child-process.detect-child-process
Severity	HIGH
Scanner	semgrep
Rule	javascript.lang.security.detect-child-process.detect-child-process
File	Docs/scripts/themeUpdate.js:10
Assessment	Likely exploitable

Description: Detected calls to child_process from a function argument folder. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

Evidence

Scanner confirmation: semgrep rule javascript.lang.security.detect-child-process.detect-child-process matched this pattern as javascript.lang.security.detect-child-process.detect-child-process.

Production code: This file is in the production codebase, not test-only code.

Changes

• Docs/scripts/themeUpdate.js

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

Security Invariant

Property: Shell commands never include unsanitized user input

Regression test

const { exec } = require('child_process');
const path = require('path');

// Import the actual production function
const themeUpdate = require('./themeUpdate.js');

describe('Shell commands never include unsanitized user input', () => {
  const payloads = [
    // Exact exploit case - command injection
    'theme; rm -rf /',
    // Alternative injection syntax
    '$(whoami)',
    // Backtick execution
    '`id`',
    // Boundary case - normal input
    'valid-theme-folder',
    // Edge case with spaces and special chars
    'theme folder; echo hacked'
  ];

  test.each(payloads)('rejects adversarial input: %s', async (folder) => {
    // Mock exec to capture the actual command being executed
    const execCalls = [];
    const originalExec = exec;
    
    // Temporarily replace exec to intercept calls
    require('child_process').exec = jest.fn((command, callback) => {
      execCalls.push(command);
      // Simulate error to prevent actual execution
      callback(new Error('Mocked exec call'));
    });

    try {
      await themeUpdate(folder);
      
      // If we reach here, check what command would have been executed
      if (execCalls.length > 0) {
        // Assert that the raw folder input doesn't appear unescaped in the command
        execCalls.forEach(command => {
          // The command should NOT contain the raw, unescaped folder value
          // If it does, that's a command injection vulnerability
          expect(command).not.toContain(folder);
        });
      }
    } catch (error) {
      // If the function throws, that's acceptable - it means it rejected bad input
      // No assertion needed here as throwing is a valid defense
    } finally {
      // Restore original exec
      require('child_process').exec = originalExec;
    }
  });
});

This test guards against regressions — it's useful independent of the code change above.

---

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.

---

Automated security fix by OrbisAI Security