nthfuncx/nanoclaw
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: prevent command injection in setup verify PID check

Browse Source 
Validate PID as positive integer and use process.kill() instead of
shell interpolation via execSync, eliminating injection vector.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
gavrielc
2026-03-02 12:55:27 +02:00
parent 62c25b1d4c
commit 770231687a
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
setup/verify.ts
View File

@@ -68,9 +68,10 @@ export async function run(_args: string[]): Promise<void> {
const pidFile = path.join(projectRoot, 'nanoclaw.pid'); const pidFile = path.join(projectRoot, 'nanoclaw.pid');
if (fs.existsSync(pidFile)) { if (fs.existsSync(pidFile)) {
try { try {
const pid = fs.readFileSync(pidFile, 'utf-8').trim(); const raw = fs.readFileSync(pidFile, 'utf-8').trim();
if (pid) { const pid = Number(raw);
execSync(`kill -0 ${pid}`, { stdio: 'ignore' }); if (raw && Number.isInteger(pid) && pid > 0) {
process.kill(pid, 0);
service = 'running'; service = 'running';
} }
} catch { } catch {