Hi — I ran a static analysis tool called CodeTitan on mitre/saf and found 3 HIGH-severity shell injection risks that ESLint doesn't catch.
Findings
src/commands/generate/delta.ts:258 and :398
execSync(`cinc-auditor json '${path.dirname(controlsDir)}'`, ...)controlsDir comes directly from a CLI flag (--xccdfPath / --ovalPath). A path containing a single quote breaks out of the shell string — e.g. ' ; rm -rf / ; echo '. These commands run in CI pipelines where the input paths can come from PR content or external tooling.
src/commands/generate/update_controls4delta.ts:261 — same pattern, same risk.
Fix
Replace the template literal with an array form to avoid shell interpretation:
// Instead of:
execSync(`cinc-auditor json '${path.dirname(controlsDir)}'`)
// Use:
execSync('cinc-auditor json ' + JSON.stringify(path.dirname(controlsDir)))
// or spawnSync with args array (preferred — no shell involvement)
spawnSync('cinc-auditor', ['json', path.dirname(controlsDir)], { encoding: 'utf8' })How I found this
I built CodeTitan to catch this class of issue automatically on TypeScript CLI tools. Happy to share the full report or wire it up to your PRs — no account needed, 3 lines of YAML.
— Noa'Lia
Hi — I ran a static analysis tool called CodeTitan on
mitre/safand found 3 HIGH-severity shell injection risks that ESLint doesn't catch.Findings
src/commands/generate/delta.ts:258and:398controlsDircomes directly from a CLI flag (--xccdfPath/--ovalPath). A path containing a single quote breaks out of the shell string — e.g.' ; rm -rf / ; echo '. These commands run in CI pipelines where the input paths can come from PR content or external tooling.src/commands/generate/update_controls4delta.ts:261— same pattern, same risk.Fix
Replace the template literal with an array form to avoid shell interpretation:
How I found this
I built CodeTitan to catch this class of issue automatically on TypeScript CLI tools. Happy to share the full report or wire it up to your PRs — no account needed, 3 lines of YAML.
— Noa'Lia