[AAASM-3439] 🔒 (sec): avoid shell interpolation in packaging test (CodeQL)

[Chisanan232]

Target

• Task summary:

  Resolve CodeQL code-scanning alert [AAASM-16] ✨ (architecture): Initialize node-sdk project architecture with pnpm #1 (js/shell-command-injection-from-environment, MEDIUM) in tests/packaging/npm-pack-content.test.ts. The packaging test built the tar and npm pack shell commands by interpolating an absolute temp-dir path (derived from process.cwd()) into a shell-string execSync call. An absolute path containing spaces or shell metacharacters would corrupt the command.

• Task tickets:

  • Task ID: AAASM-3439.
  • Relative task IDs:
    • N/A.
  • Relative PRs:
    • N/A.

• Key point change (optional):

  Switch the two path-interpolating execSync(\...`)calls toexecFileSync(cmd, [args])with discrete argument arrays — no shell, so the absolute paths are never re-parsed by a shell. Thepnpm run build` call (no interpolation) is left unchanged. Test behaviour and assertions are identical.

Effecting Scope

• Action Types:
  • 🍀 Improving something (performance, code quality, security, etc.)
• Scopes:
  • 🧪 Testing
    • 🧪 Unit testing
• Additional description:
  Test-only change; no production code, public API, or build config affected.

Description

• tests/packaging/npm-pack-content.test.ts: import execFileSync; replace execSync(\npm pack ... ${packDir}`)andexecSync(`tar -tf ${tarballPath}`)withexecFileSync` + args arrays. Added why-comments explaining the shell-injection rationale.

How to verify

• pnpm test -- tests/packaging/npm-pack-content.test.ts — passes (target test green).
• pnpm lint and pnpm typecheck — clean.

Closes AAASM-3439

🤖 Generated with Claude Code

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[Chisanan232]

🟢 Review result — Claude Code (AAASM-3439)

Verdict: APPROVED — ready for approval & merge.

1. CI status — all green

Analyze (javascript-typescript) ✅ · CodeQL ✅ · SonarCloud ✅ · codecov/patch ✅ · coverage-and-analysis ✅ · napi-build (20 + 22) ✅ · module-smoke (18/20/22) ✅ · quality ✅ · tests (18/20/22/24) ✅. No failures.

2. Scope vs ticket (AAASM-3439)

• ✅ Fixes CodeQL js/shell-command-injection-from-environment (MED) at tests/packaging/npm-pack-content.test.ts:32 — fixed in code, not dismissed: execSync(\tar -tf ${tarballPath}`)→execFileSync("tar", ["-tf", tarballPath])(args array bypasses the shell). Also hardened the siblingnpm pack --pack-destination ${packDir}call for consistency;pnpm run build` (no interpolation) left as-is.
• ✅ Behaviour-preserving: target test green, full suite 305 passed / 2 skipped, lint + typecheck clean, hooks passed.
• ✅ Scope limited to the one test file; PR base master on remote, not self-merged.

Scope delivered. Ready to merge (alert auto-closes on the next master CodeQL run post-merge).