fix: address review feedback for proxyVarSubDir

zkochan · claude · zkochan · commit 3fa2d155aedc · 2026-03-20T14:46:57.000+01:00
- Validate proxyVarSubDir to reject dangerous values (leading slashes,
  .., shell metacharacters) in both posix and windows path extenders
- Quote pathRef in Fish shell string match when using proxyVarSubDir
- Add Fish and Nushell tests for proxyVarSubDir

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/os/env/path-extender-posix/path-extender-posix.spec.ts b/os/env/path-extender-posix/path-extender-posix.spec.ts
@@ -1008,6 +1008,35 @@ if not string match -q -- $PNPM_HOME $PATH
   set -gx PATH "$PNPM_HOME" $PATH
 end
 # pnpm end
+`)
+  })
+  it('should append to shell script with proxyVarSubDir', async () => {
+    fs.mkdirSync('.config/fish', { recursive: true })
+    fs.writeFileSync(configFile, '', 'utf8')
+    const report = await addDirToPosixEnvPath(pnpmHomeDir, {
+      proxyVarName: 'PNPM_HOME',
+      proxyVarSubDir: 'bin',
+      configSectionName: 'pnpm',
+    })
+    expect(report).toStrictEqual({
+      configFile: {
+        path: configFile,
+        changeType: 'appended',
+      },
+      oldSettings: ``,
+      newSettings: `set -gx PNPM_HOME "${pnpmHomeDir}"
+if not string match -q -- "$PNPM_HOME/bin" $PATH
+  set -gx PATH "$PNPM_HOME/bin" $PATH
+end`,
+    })
+    const configContent = fs.readFileSync(configFile, 'utf8')
+    expect(configContent).toEqual(`
+# pnpm
+set -gx PNPM_HOME "${pnpmHomeDir}"
+if not string match -q -- "$PNPM_HOME/bin" $PATH
+  set -gx PATH "$PNPM_HOME/bin" $PATH
+end
+# pnpm end
 `)
   })
   it('should append to empty shell script without using a proxy varialbe', async () => {
@@ -1208,6 +1237,31 @@ $env.PATH = ($env.PATH | split row (char esep) | prepend $env.PNPM_HOME )`,
 $env.PNPM_HOME = "${pnpmHomeDir}"
 $env.PATH = ($env.PATH | split row (char esep) | prepend $env.PNPM_HOME )
 # pnpm end
+`)
+  })
+  it('should append to shell script with proxyVarSubDir', async () => {
+    fs.mkdirSync('.config/nushell', { recursive: true })
+    fs.writeFileSync(configFile, '', 'utf8')
+    const report = await addDirToPosixEnvPath(pnpmHomeDir, {
+      proxyVarName: 'PNPM_HOME',
+      proxyVarSubDir: 'bin',
+      configSectionName: 'pnpm',
+    })
+    expect(report).toStrictEqual({
+      configFile: {
+        path: configFile,
+        changeType: 'appended',
+      },
+      oldSettings: ``,
+      newSettings: `$env.PNPM_HOME = "${pnpmHomeDir}"
+$env.PATH = ($env.PATH | split row (char esep) | prepend ($env.PNPM_HOME | path join "bin") )`,
+    })
+    const configContent = fs.readFileSync(configFile, 'utf8')
+    expect(configContent).toEqual(`
+# pnpm
+$env.PNPM_HOME = "${pnpmHomeDir}"
+$env.PATH = ($env.PATH | split row (char esep) | prepend ($env.PNPM_HOME | path join "bin") )
+# pnpm end
 `)
   })
   it('should append to empty shell script without using a proxy varialbe', async () => {
diff --git a/os/env/path-extender-posix/path-extender-posix.ts b/os/env/path-extender-posix/path-extender-posix.ts
@@ -43,10 +43,24 @@ export async function addDirToPosixEnvPath (
   dir: string,
   opts: AddDirToPosixEnvPathOpts
 ): Promise<PathExtenderPosixReport> {
+  if (opts.proxyVarSubDir) {
+    validateSubDir(opts.proxyVarSubDir)
+  }
   const currentShell = detectCurrentShell()
   return await updateShell(currentShell, dir, opts)
 }
 
+function validateSubDir (subDir: string): void {
+  if (
+    subDir.startsWith('/') ||
+    subDir.startsWith('\\') ||
+    subDir.includes('..') ||
+    /[;\n\r"'`$%|<>&]/.test(subDir)
+  ) {
+    throw new PnpmError('INVALID_SUBDIR', `Invalid proxyVarSubDir: "${subDir}"`)
+  }
+}
+
 function detectCurrentShell () {
   if (process.env.ZSH_VERSION) return 'zsh'
   if (process.env.BASH_VERSION) return 'bash'
@@ -144,8 +158,9 @@ async function setupFishShell (dir: string, opts: AddDirToPosixEnvPathOpts): Pro
   const _createPathValue = createFishPathValue.bind(null, opts.position ?? 'start')
   if (opts.proxyVarName) {
     const pathRef = opts.proxyVarSubDir ? `$${opts.proxyVarName}/${opts.proxyVarSubDir}` : `$${opts.proxyVarName}`
+    const matchPattern = opts.proxyVarSubDir ? `"${pathRef}"` : pathRef
     newSettings = `set -gx ${opts.proxyVarName} "${dir}"
-if not string match -q -- ${pathRef} $PATH
+if not string match -q -- ${matchPattern} $PATH
   set -gx PATH ${_createPathValue(pathRef)}
 end`
   } else {
diff --git a/os/env/path-extender-windows/path-extender-windows.ts b/os/env/path-extender-windows/path-extender-windows.ts
@@ -61,7 +61,21 @@ export async function addDirToWindowsEnvPath (dir: string, opts?: AddDirToWindow
 
 export type EnvVariableChangeAction = 'skipped' | 'updated'
 
+function validateSubDir (subDir: string): void {
+  if (
+    subDir.startsWith('/') ||
+    subDir.startsWith('\\') ||
+    subDir.includes('..') ||
+    /[;%"'`<>&]/.test(subDir)
+  ) {
+    throw new PnpmError('INVALID_SUBDIR', `Invalid proxyVarSubDir: "${subDir}"`)
+  }
+}
+
 async function _addDirToWindowsEnvPath (dir: string, opts: AddDirToWindowsEnvPathOpts = {}): Promise<PathExtenderWindowsReport> {
+  if (opts.proxyVarSubDir) {
+    validateSubDir(opts.proxyVarSubDir)
+  }
   const addedDir = path.normalize(dir)
   const registryOutput = await getRegistryOutput()
   const changes: PathExtenderWindowsReport = []
