🛡️ Sentinel: [CRITICAL] Fix command injection vulnerability with execSync usage

bin/ai-review.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 
-const { execSync, spawn, execFileSync } = require('child_process');
+const { spawn, execFileSync } = require('child_process');
 const path = require('path');
 const fs = require('fs');
 
@@ -75,7 +75,7 @@
 
 function checkGitRepo() {
   try {
-    execSync('git rev-parse --git-dir', { stdio: 'ignore' });
+    execFileSync('git', ['rev-parse', '--git-dir'], { stdio: 'ignore' });
     return true;
   } catch (error) {
     console.error('❌ Error: Not a git repository');
@@ -110,9 +110,9 @@
       const url = `http://localhost:${port}`;
       console.log(`\n🌐 Opening browser: ${url}`);
 
-      const start = (process.platform == 'darwin' ? 'open' : process.platform == 'win32' ? 'start' : 'xdg-open');
+      const start = (process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open');
       try {
-        execSync(`${start} ${url}`, { stdio: 'ignore' });
+        execFileSync(start, [url], { stdio: 'ignore' });
       } catch (error) {
         console.log('💡 Could not open browser automatically');
         console.log('   Please open manually:', url);
@@ -206,7 +206,7 @@
         if (i + 1 < args.length) {
           port = parseInt(args[i + 1]);
           i++; // Skip next argument
           if (isNaN(port) || port < 1 || port > 65535) {
             console.error('❌ Invalid port number');
             process.exit(1);
           }

run-tests.js

@@ -7,7 +7,7 @@
 
 const { execSync } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 
 // Test results
 const results = {
@@ -113,7 +113,7 @@
 
 // Test pattern matching logic directly
 console.log('Test: Pattern matching function');
 const exportScript = require('./scripts/export-ai-review.js');
 // This test requires examining the matchPattern function
 console.log('⏭️  SKIP: Direct pattern matching (requires module exports)');
 results.skipped.push('B1: Pattern matching unit test');
@@ -270,7 +270,7 @@
 }
 
 // Summary
-console.log('\n' + '='.repeat(60));
+console.log(`\n${  '='.repeat(60)}`);
 console.log('📊 TEST RESULTS SUMMARY');
 console.log('='.repeat(60));
 console.log(`✅ Passed: ${results.passed.length}`);
@@ -293,7 +293,7 @@
   results.skipped.forEach(test => console.log(`  - ${test}`));
 }
 
-console.log('\n' + '='.repeat(60));
+console.log(`\n${  '='.repeat(60)}`);
 
 if (results.failed.length === 0) {
   console.log('✅ ALL TESTS PASSED! Ready for deployment.');

scripts/export-ai-review.js

@@ -6,13 +6,13 @@
  * Supports include/exclude file patterns
  */
 
-const { execSync, execFileSync } = require('child_process');
+const { execFileSync } = require('child_process');
 const { writeFileSync, mkdirSync, existsSync } = require('fs');
 const path = require('path');
 
 // Import DiffService for consistent formatting
 const DiffService = require('../services/diffService');
 const GitStatusParser = require('../services/gitStatusParser');
 const ReviewGenerator = require('../services/ReviewGenerator');
 
 // Parse command line arguments
@@ -113,7 +113,7 @@
 
 // Check if we're in a git repository
 try {
-  execSync('git rev-parse --git-dir', { stdio: 'ignore' });
+  execFileSync('git', ['rev-parse', '--git-dir'], { stdio: 'ignore' });
 } catch (error) {
   console.error('❌ Error: Not a git repository');
   console.error('💡 Please run this command inside a git repository');
@@ -125,15 +125,15 @@
 let deletedFiles = [];
 
 try {
-  const output = execSync('git diff --cached --name-only', { encoding: 'utf-8' });
+  const output = execFileSync('git', ['diff', '--cached', '--name-only'], { encoding: 'utf-8' });
   stagedFiles = output.trim() ? output.trim().split('\n').filter(f => f.length > 0) : [];
 } catch (error) {
   console.error('❌ Error getting staged files:', error.message);
   process.exit(1);
 }
 
 try {
-  const deletedOutput = execSync('git ls-files --deleted', { encoding: 'utf-8' });
+  const deletedOutput = execFileSync('git', ['ls-files', '--deleted'], { encoding: 'utf-8' });
   deletedFiles = deletedOutput.trim() ? deletedOutput.trim().split('\n').filter(f => f.length > 0) : [];
 } catch (error) {
   // Ignore error, deletedFiles will remain empty
@@ -189,7 +189,7 @@
   // Directory exclusion: "node_modules/" or "node_modules/*"
   if (pattern.endsWith('/') || pattern.endsWith('/*')) {
     const dir = pattern.replace(/\/?\\*?$/, '');
-    if (file.startsWith(dir + '/')) return true;
+    if (file.startsWith(`${dir  }/`)) return true;
   }
 
   // Extension pattern: "*.log"
@@ -203,13 +203,13 @@
     // Convert glob pattern to regex
     // scripts/**/*.js -> ^scripts\/(.*\/)?[^/]*\.js$
     // ** means "zero or more directories", so **/ becomes (.*\/)?
-    let regexPattern = pattern
+    const regexPattern = pattern
       .replace(/\*\*\//g, '__DOUBLESTARSLASH__')  // Placeholder for **/
       .replace(/\./g, '\\.')  // Escape dots
       .replace(/\//g, '\\/')  // Escape forward slashes
       .replace(/\*/g, '[^/]*')  // * matches any characters except /
       .replace(/__DOUBLESTARSLASH__/g, '(.*\\/)?');  // **/ means zero or more dirs
-    const regex = new RegExp('^' + regexPattern + '$');
+    const regex = new RegExp(`^${  regexPattern  }$`);
     if (regex.test(file)) return true;
   }
 
@@ -219,7 +219,7 @@
       .replace(/\./g, '\\.')
       .replace(/\//g, '\\/')
       .replace(/\*/g, '[^/]*');
-    const regex = new RegExp('^' + regexPattern + '$');
+    const regex = new RegExp(`^${  regexPattern  }$`);
     if (regex.test(file)) return true;
   }
 
@@ -256,7 +256,7 @@
   }
 }
 
-console.log(`\n📊 Summary:`);
+console.log('\n📊 Summary:');
 console.log(`   Included: ${includedFiles.length} files`);
 console.log(`   Excluded: ${excludedFiles.length} files`);
 console.log(`   Too large: ${largeFiles.length} files`);
@@ -269,9 +269,9 @@
 // Generate AI review content
 if (config.splitMode) {
   const outDirName = config.outputDir === 'AI_REVIEWS' ? undefined : config.outputDir; // undefined triggers timestamp default in service
-  console.log(`\nmode: ✂️  Split Mode`);
+  console.log('\nmode: ✂️  Split Mode');
   if (outDirName) console.log(`Output: ${outDirName}/`);
-  else console.log(`Output: [Auto-Timestamped Directory]`);
+  else console.log('Output: [Auto-Timestamped Directory]');
 
   (async () => {
     try {

server.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 const express = require('express');
 const { execFile } = require('child_process');
 const { writeFileSync, readFileSync, existsSync, mkdirSync } = require('fs');
 const path = require('path');
 const cors = require('cors');
@@ -97,7 +97,7 @@
 
     const userAgent = req.get('User-Agent') || '';
     const queryString = JSON.stringify(req.query);
-    const fullUrl = req.path + (req.query ? '?' + new URLSearchParams(req.query).toString() : '');
+    const fullUrl = req.path + (req.query ? `?${  new URLSearchParams(req.query).toString()}` : '');
 
     const suspiciousFound = suspiciousPatterns.some(pattern =>
       pattern.test(fullUrl) ||
@@ -178,7 +178,8 @@
 
   // Additional checks for suspicious patterns
   const suspiciousPatterns = [
-    /\x00/,           // Null bytes
+    // eslint-disable-next-line no-control-regex
+    /\u0000/,           // Null bytes
     /[<>"|*?]/,       // Dangerous file characters
     /^\//,            // Absolute paths
     /^[a-zA-Z]:\\/,   // Windows absolute paths
@@ -333,7 +334,7 @@
     const files = output.trim() ? output.trim().split('\n').filter(f => f.length > 0) : [];
 
     // Get file statuses to determine if files are deleted
-    let fileStatuses = {};
+    const fileStatuses = {};
     try {
       const statusOutput = await GitService.execute('diff-cached', ['--name-status']);
       const statusLines = statusOutput.trim().split('\n').filter(line => line.length > 0);
@@ -566,7 +567,7 @@
       return res.status(400).json({
         success: false,
         error: `Found ${deletedFiles.length} deleted file(s) but they are not staged. Use "git add -A" to stage all changes including deletions.`,
-        deletedFiles: deletedFiles,
+        deletedFiles,
         suggestion: 'Run "git add -A" to stage all changes, then try again.',
         timestamp: new Date().toISOString()
       });
@@ -660,7 +661,7 @@
       return res.status(400).json({
         success: false,
         error: `Found ${deletedFiles.length} deleted file(s) but they are not staged.Use "git add -A" to stage all changes including deletions.`,
-        deletedFiles: deletedFiles,
+        deletedFiles,
         suggestion: 'Run "git add -A" to stage all changes, then try again.',
         timestamp: new Date().toISOString()
       });

services/ReviewGenerator.js

@@ -40,10 +40,10 @@ class ReviewGenerator {
     const createdFiles = [];
 
     // Generate Summary Content
-    let summaryContent = `# 🔍 Code Review Summary\n\n`;
+    let summaryContent = '# 🔍 Code Review Summary\n\n';
     summaryContent += `**Generated:** ${new Date().toLocaleString()}\n`;
     summaryContent += `**Total Files:** ${includedFiles.length}\n\n`;
-    summaryContent += `## 📂 Review Files\n`;
+    summaryContent += '## 📂 Review Files\n';
 
     // Process files concurrently for better performance
     const filePromises = includedFiles.map(async (file) => {
@@ -100,15 +100,15 @@ class ReviewGenerator {
   static async generateUnifiedReview({ includedFiles, excludedFiles = [], largeFiles = [] }) {
     const timestamp = new Date().toLocaleString();
     let content = `# 🔍 Code Review - ${timestamp}\n\n`;
-    content += `**Project:** AI Visual Code Review\n`;
-    content += `**Generated by:** AI Visual Code Review v2.0\n\n`;
+    content += '**Project:** AI Visual Code Review\n';
+    content += '**Generated by:** AI Visual Code Review v2.0\n\n';
 
     // Change Summary
     try {
       const stats = await GitService.getDiffStats();
       content += `## 📊 Change Summary\n\n\`\`\`\n${stats.trim()}\n\`\`\`\n\n`;
     } catch (err) {
-      content += `## 📊 Change Summary\n\n(Stats not available)\n\n`;
+      content += '## 📊 Change Summary\n\n(Stats not available)\n\n';
     }
 
     content += `## 📝 Files Changed (${includedFiles.length} selected)\n\n`;
@@ -139,7 +139,7 @@ class ReviewGenerator {
         let fileContent = '';
 
         // Get file status
-        let fileStatus = fileStatuses[file] || 'M ';
+        const fileStatus = fileStatuses[file] || 'M ';
         const statusInfo = GitStatusParser.parse(fileStatus);
 
         fileContent += `\n${GitStatusParser.getMarkdownHeader(fileStatus, file)}\n\n`;
@@ -207,7 +207,7 @@ class ReviewGenerator {
       }
     }
 
-    content += this.getChecklistTemplate().replace("# 🔍 Code Review", "").replace("## 📊 File Information", ""); // Remove duplicate headers from checklist template if reusing
+    content += this.getChecklistTemplate().replace('# 🔍 Code Review', '').replace('## 📊 File Information', ''); // Remove duplicate headers from checklist template if reusing
 
     // Write to file
     const filePath = path.join(process.cwd(), 'AI_REVIEW.md');
@@ -243,10 +243,10 @@ class ReviewGenerator {
 
     let content = `# 📄 Code Review: \`${file}\`\n\n`;
     content += `**Generated:** ${new Date().toLocaleString()}\n`;
-    content += `**Project:** AI Visual Code Review\n`;
-    content += `**Review Type:** Individual File Analysis\n\n`;
+    content += '**Project:** AI Visual Code Review\n';
+    content += '**Review Type:** Individual File Analysis\n\n';
 
-    content += `## 📊 File Information\n\n`;
+    content += '## 📊 File Information\n\n';
     content += `**Type:** ${fileTypeMap[ext] || 'Source File 📄'}\n`;
     content += `**Path:** \`${file}\`\n`;
     content += `**Extension:** ${ext || 'None'}\n\n`;
@@ -261,7 +261,7 @@ class ReviewGenerator {
       .filter(([lineId]) => lineId.includes(file.replace(/[^a-zA-Z0-9]/g, '_')));
 
     if (fileLineComments.length > 0) {
-      content += `## 🔍 Line Comments\n\n`;
+      content += '## 🔍 Line Comments\n\n';
       fileLineComments.forEach(([lineId, comment]) => {
         content += `- **${lineId}:** ${comment}\n`;
       });
@@ -271,7 +271,7 @@ class ReviewGenerator {
     // Diff
     try {
       const diff = await GitService.getDiffForFile(file);
-      content += `## 📝 Changes\n\n`;
+      content += '## 📝 Changes\n\n';
       content += DiffService.generateEnhancedDiffMarkdown(diff);
     } catch (error) {
       content += `## ❌ Error\n\nCould not load diff for \`${file}\`: ${error.message}\n\n`;

services/gitStatusParser.js

@@ -36,7 +36,7 @@ class GitStatusParser {
    */
   static parse(statusCode) {
     // Normalize status code to 2 characters
-    const normalizedStatus = (statusCode + '  ').slice(0, 2);
+    const normalizedStatus = (`${statusCode  }  `).slice(0, 2);
     const indexStatus = normalizedStatus[0];
     const workingStatus = normalizedStatus[1];
 

src/middleware/security.js

@@ -80,7 +80,7 @@ function requestLogger(req, res, next) {
 
     const userAgent = req.get('User-Agent') || '';
     const queryString = JSON.stringify(req.query);
-    const fullUrl = req.path + (req.query ? '?' + new URLSearchParams(req.query).toString() : '');
+    const fullUrl = req.path + (req.query ? `?${  new URLSearchParams(req.query).toString()}` : '');
 
     const suspiciousFound = suspiciousPatterns.some(pattern =>
       pattern.test(fullUrl) ||

src/utils/validation.js

@@ -31,7 +31,8 @@ function validateFileRequest(file) {
 
   // Additional checks for suspicious patterns
   const suspiciousPatterns = [
-    /\x00/,           // Null bytes
+    // eslint-disable-next-line no-control-regex
+    /\u0000/,           // Null bytes
     /[<>"|*?]/,       // Dangerous file characters
     /^\//,            // Absolute paths
     /^[a-zA-Z]:\\/,   // Windows absolute paths