From 770231687a6ab0206c5c12a5c8ac989806306bc3 Mon Sep 17 00:00:00 2001
From: gavrielc <gabicohen22@yahoo.com>
Date: Mon, 2 Mar 2026 12:55:27 +0200
Subject: [PATCH] fix: prevent command injection in setup verify PID check

Validate PID as positive integer and use process.kill() instead of
shell interpolation via execSync, eliminating injection vector.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 setup/verify.ts | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/setup/verify.ts b/setup/verify.ts
index a738b8c..a08a431 100644
--- a/setup/verify.ts
+++ b/setup/verify.ts
@@ -68,9 +68,10 @@ export async function run(_args: string[]): Promise<void> {
     const pidFile = path.join(projectRoot, 'nanoclaw.pid');
     if (fs.existsSync(pidFile)) {
       try {
-        const pid = fs.readFileSync(pidFile, 'utf-8').trim();
-        if (pid) {
-          execSync(`kill -0 ${pid}`, { stdio: 'ignore' });
+        const raw = fs.readFileSync(pidFile, 'utf-8').trim();
+        const pid = Number(raw);
+        if (raw && Number.isInteger(pid) && pid > 0) {
+          process.kill(pid, 0);
           service = 'running';
         }
       } catch {