chore(security): refactor command execution to prevent shell injection

Replace shell-based command execution with safer spawn-based approach in
plugin and repository managers. Add new runSafeCommand utility that
passes arguments as an array instead of shell strings, eliminating
command injection vulnerabilities. Update multiple dependencies including
@modelcontextprotocol/sdk, firebase, openai, and @vscode/vsce.

Author: involvex

.github/workflows/vscode-release.yml

@@ -37,7 +37,9 @@ jobs:
           bun run package
 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
-          files: vscode-extension/*.vsix
+          files: |
+            vscode-extension/dist/*.vsix
           generate_release_notes: true
+          fail_on_unmatched_files: true

bun.lock

@@ -63,18 +63,23 @@
     "test:watch": "vitest",
     "typecheck": "tsc --noEmit"
   },
+  "overrides": {
+    "@modelcontextprotocol/sdk": "^1.26.0",
+    "brace-expansion": "^2.0.1",
+    "minimatch": "^9.0.5"
+  },
   "dependencies": {
     "@google/generative-ai": "^0.24.1",
-    "@modelcontextprotocol/sdk": "^1.25.3",
+    "@modelcontextprotocol/sdk": "^1.26.0",
     "@types/mime": "^4.0.0",
     "axios": "^1.13.4",
     "bcrypt": "^6.0.0",
     "cfonts": "^3.3.1",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
     "conventional-changelog-cli": "^5.0.0",
-    "dotenv": "^17.2.3",
-    "firebase": "^12.8.0",
+    "dotenv": "^17.2.4",
+    "firebase": "^12.9.0",
     "fs-extra": "^11.3.3",
     "ignore": "^7.0.5",
     "ink": "^6.6.0",
@@ -83,7 +88,7 @@
     "marked-terminal": "^7.3.0",
     "mime": "^4.1.0",
     "open": "^11.0.0",
-    "openai": "^6.17.0",
+    "openai": "^6.18.0",
     "react": "^19.2.4",
     "ripgrep-node": "^1.0.0",
     "shell-quote": "^1.8.3",
@@ -92,7 +97,7 @@
   },
   "devDependencies": {
     "@types/fs-extra": "^11.0.4",
-    "@types/node": "^25.1.0",
+    "@types/node": "^25.2.1",
     "@types/react": "18.3.27",
     "@types/ws": "^8.18.1",
     "@typescript-eslint/eslint-plugin": "^8.54.0",
@@ -102,7 +107,7 @@
     "prettier": "^3.8.1",
     "prettier-plugin-organize-imports": "^4.3.0",
     "prettier-plugin-packagejson": "^3.0.0",
-    "prettier-plugin-sort-imports": "^1.8.9",
+    "prettier-plugin-sort-imports": "^1.8.10",
     "react-devtools-core": "^7.0.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",

package.json

@@ -442,14 +442,21 @@ export function useInputHandler({
 
           // Strip placeholders like <name>, [action], etc.
           // Examples: "/chat save <name>" -> "/chat save ", "/mcp <action>" -> "/mcp "
-          let completedCommand = selectedCommand.command;
-
-          // Remove everything starting from the first space followed by a placeholder
-          // or just placeholders themselves
-          completedCommand = completedCommand
-            .replace(/\s*<[^>]+>/g, "")
-            .replace(/\s*\[[^\]]+\]/g, "");
+          const stripCommandPlaceholders = (command: string): string => {
+            let previous: string;
+            let current = command;
+            do {
+              previous = current;
+              current = current
+                .replace(/\s*<[^>]+>/g, "")
+                .replace(/\s*\[[^\]]+\]/g, "");
+            } while (current !== previous);
+            return current;
+          };
 
+          let completedCommand = stripCommandPlaceholders(
+            selectedCommand.command,
+          );
           // If it doesn't end with a space and it was a placeholder-heavy command, add a space
           if (
             !completedCommand.endsWith(" ") &&

src/hooks/use-input-handler.ts

@@ -1,14 +1,12 @@
 import { getSettingsManager } from "../utils/settings-manager";
 import { SuperAgent } from "../agent/super-agent";
+import { runSafeCommand } from "../utils/exec";
 import { SuperAgentPlugin } from "./types";
 import { SuperAgentTool } from "../types";
-import { exec } from "child_process";
-import { promisify } from "util";
+import execAsync from "node:process";
 import * as path from "path";
 import fs from "fs-extra";
 
-const execAsync = promisify(exec);
-
 export class PluginManager {
   private static instance: PluginManager;
   private plugins: Map<string, SuperAgentPlugin> = new Map();
@@ -156,13 +154,15 @@ export class PluginManager {
         `Repository already cloned at ${targetDir}. Pulling latest...`,
       );
       try {
-        await execAsync(`cd "${targetDir}" && git pull`);
+        await runSafeCommand("git", ["pull"], {
+          cwd: targetDir,
+        });
       } catch (error) {
         console.warn(`Failed to pull updates: ${error}`);
       }
     } else {
       // Clone the repository
-      await execAsync(`git clone "${gitUrl}" "${targetDir}"`);
+      await runSafeCommand("git", ["clone", gitUrl, targetDir]);
     }
 
     // Try to build if package.json exists
@@ -174,20 +174,18 @@ export class PluginManager {
         const hasBun = await fs.pathExists(path.join(targetDir, "bun.lockb"));
         const hasYarn = await fs.pathExists(path.join(targetDir, "yarn.lock"));
 
-        const installCmd = hasBun
-          ? "bun install"
-          : hasYarn
-            ? "yarn install"
-            : "npm install";
-        await execAsync(`cd "${targetDir}" && ${installCmd}`);
+        const installCmd = hasBun ? "bun" : hasYarn ? "yarn" : "npm";
+        const installArgs = ["install"];
+        await runSafeCommand(installCmd, installArgs, {
+          cwd: targetDir,
+        });
 
         console.log("🔨 Building plugin...");
-        const buildCmd = hasBun
-          ? "bun run build"
-          : hasYarn
-            ? "yarn build"
-            : "npm run build";
-        await execAsync(`cd "${targetDir}" && ${buildCmd}`);
+        const buildCmd = hasBun ? "bun" : hasYarn ? "yarn" : "npm";
+        const buildArgs = ["run", "build"];
+        await runSafeCommand(buildCmd, buildArgs, {
+          cwd: targetDir,
+        });
       } catch (error: any) {
         console.warn(`Build failed: ${error.message}`);
       }
@@ -222,20 +220,18 @@ export class PluginManager {
           path.join(absolutePath, "yarn.lock"),
         );
 
-        const installCmd = hasBun
-          ? "bun install"
-          : hasYarn
-            ? "yarn install"
-            : "npm install";
-        await execAsync(`cd "${absolutePath}" && ${installCmd}`);
+        const installCmd = hasBun ? "bun" : hasYarn ? "yarn" : "npm";
+        const installArgs = ["install"];
+        await runSafeCommand(installCmd, installArgs, {
+          cwd: absolutePath,
+        });
 
         console.log("🔨 Building plugin...");
-        const buildCmd = hasBun
-          ? "bun run build"
-          : hasYarn
-            ? "yarn build"
-            : "npm run build";
-        await execAsync(`cd "${absolutePath}" && ${buildCmd}`);
+        const buildCmd = hasBun ? "bun" : hasYarn ? "yarn" : "npm";
+        const buildArgs = ["run", "build"];
+        await runSafeCommand(buildCmd, buildArgs, {
+          cwd: absolutePath,
+        });
       } catch (error: any) {
         console.warn(`Build failed: ${error.message}`);
       }

src/plugins/manager.ts

@@ -1,10 +1,7 @@
-import { exec } from "child_process";
-import { promisify } from "util";
+import { runSafeCommand } from "../utils/exec";
 import * as path from "path";
 import fs from "fs-extra";
 
-const execAsync = promisify(exec);
-
 export interface RepositoryConfig {
   type: "agents" | "skills" | "hooks" | "mcp";
   url: string;
@@ -89,27 +86,35 @@ export class RepositoryManager {
 
       if (!(await fs.pathExists(gitDirPath))) {
         // Not in a git repo, just clone instead of using submodule
-        await execAsync(`git clone ${repoConfig.url} ${targetDir}`, {
+        await runSafeCommand("git", ["clone", repoConfig.url, targetDir], {
           cwd: process.cwd(),
         });
       } else {
         // Add as git submodule
         try {
-          await execAsync(`git submodule add ${repoConfig.url} ${targetDir}`, {
-            cwd: process.cwd(),
-          });
+          await runSafeCommand(
+            "git",
+            ["submodule", "add", repoConfig.url, targetDir],
+            {
+              cwd: process.cwd(),
+            },
+          );
         } catch (submoduleError: any) {
           // If submodule add fails, fall back to regular clone
-          await execAsync(`git clone ${repoConfig.url} ${targetDir}`, {
+          await runSafeCommand("git", ["clone", repoConfig.url, targetDir], {
             cwd: process.cwd(),
           });
         }
 
         // Update .gitmodules if needed
         try {
-          await execAsync(`git submodule update --init --recursive`, {
-            cwd: process.cwd(),
-          });
+          await runSafeCommand(
+            "git",
+            ["submodule", "update", "--init", "--recursive"],
+            {
+              cwd: process.cwd(),
+            },
+          );
         } catch {
           // Ignore update errors
         }
@@ -134,9 +139,13 @@ export class RepositoryManager {
       const targetDir = path.join(this.reposDir, config.type);
       try {
         if (await fs.pathExists(targetDir)) {
-          await execAsync(`git pull origin ${config.branch || "main"}`, {
-            cwd: targetDir,
-          });
+          await runSafeCommand(
+            "git",
+            ["pull", "origin", config.branch || "main"],
+            {
+              cwd: targetDir,
+            },
+          );
           updated.push(key);
         }
       } catch (error: any) {

src/plugins/repository-manager.ts

@@ -1,9 +1,6 @@
-import { exec, spawn } from "child_process";
 import { strict as assert } from "assert";
+import { spawn } from "child_process";
 import { EventEmitter } from "events";
-import { promisify } from "util";
-
-const execAsync = promisify(exec);
 
 export interface ConfirmationOptions {
   operation: string;

src/utils/confirmation-service.ts

@@ -0,0 +1,76 @@
+import { spawn } from "child_process";
+
+/**
+ * Options for executing a command
+ */
+export interface ExecOptions {
+  cwd?: string;
+  env?: NodeJS.ProcessEnv;
+  input?: string;
+}
+
+/**
+ * Result of a command execution
+ */
+export interface ExecResult {
+  stdout: string;
+  stderr: string;
+}
+
+/**
+ * Safely execute a command using child_process.spawn.
+ * This avoids shell injection vulnerabilities by passing arguments as an array
+ * and disabling shell execution by default.
+ */
+export async function runSafeCommand(
+  command: string,
+  args: string[],
+  options: ExecOptions = {},
+): Promise<ExecResult> {
+  return new Promise((resolve, reject) => {
+    const child = spawn(command, args, {
+      cwd: options.cwd || process.cwd(),
+      env: { ...process.env, ...options.env },
+      shell: false, // Disabling shell execution prevents injection
+    });
+
+    let stdout = "";
+    let stderr = "";
+
+    if (child.stdout) {
+      child.stdout.on("data", data => {
+        stdout += data.toString();
+      });
+    }
+
+    if (child.stderr) {
+      child.stderr.on("data", data => {
+        stderr += data.toString();
+      });
+    }
+
+    if (options.input && child.stdin) {
+      child.stdin.write(options.input);
+      child.stdin.end();
+    }
+
+    child.on("close", code => {
+      if (code === 0) {
+        resolve({ stdout, stderr });
+      } else {
+        const error = new Error(
+          `Command "${command} ${args.join(" ")}" failed with exit code ${code}.
+Stderr: ${stderr}`,
+        );
+        (error as any).code = code;
+        (error as any).stdout = stdout;
+        (error as any).stderr = stderr;
+        reject(error);
+      }
+    });
+
+    child.on("error", err => {
+      reject(err);
+    });
+  });
+}