getsentry · sebastiondev · Mar 22, 2026 · cursor · Mar 22, 2026
diff --git a/scripts/generate-version.ts b/scripts/generate-version.ts
@@ -7,6 +7,16 @@ interface PackageJson {
   macOSTemplateVersion: string;
 }
 
+const VERSION_REGEX = /^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?(\+[a-zA-Z0-9.]+)?$/;
+
+function validateVersion(name: string, value: string): void {
+  if (!VERSION_REGEX.test(value)) {
+    throw new Error(
+      `Invalid ${name} in package.json: ${JSON.stringify(value)}. Expected a version string.`,
+    );
+  }
+}
+
 async function main(): Promise<void> {
   const repoRoot = process.cwd();
   const packagePath = path.join(repoRoot, 'package.json');
@@ -15,10 +25,14 @@ async function main(): Promise<void> {
   const raw = await readFile(packagePath, 'utf8');
   const pkg = JSON.parse(raw) as PackageJson;
 
+  validateVersion('version', pkg.version);
+  validateVersion('iOSTemplateVersion', pkg.iOSTemplateVersion);
+  validateVersion('macOSTemplateVersion', pkg.macOSTemplateVersion);
+
   const content =
-    `export const version = '${pkg.version}';\n` +
-    `export const iOSTemplateVersion = '${pkg.iOSTemplateVersion}';\n` +
-    `export const macOSTemplateVersion = '${pkg.macOSTemplateVersion}';\n`;
+    `export const version = ${JSON.stringify(pkg.version)};\n` +
+    `export const iOSTemplateVersion = ${JSON.stringify(pkg.iOSTemplateVersion)};\n` +
+    `export const macOSTemplateVersion = ${JSON.stringify(pkg.macOSTemplateVersion)};\n`;
 
   await writeFile(versionPath, content, 'utf8');
 }

diff --git a/src/utils/command.ts b/src/utils/command.ts
@@ -13,6 +13,7 @@ import { spawn } from 'child_process';
 import { createWriteStream, existsSync } from 'fs';
 import { tmpdir as osTmpdir } from 'os';
 import { log } from './logger.ts';
+import { shellEscapeArg } from './shell-escape.ts';
 import type { FileSystemExecutor } from './FileSystemExecutor.ts';
 import type { CommandExecutor, CommandResponse, CommandExecOptions } from './CommandExecutor.ts';
 
@@ -41,16 +42,8 @@ async function defaultExecutor(
   let escapedCommand = command;
   if (useShell) {
     // For shell execution, we need to format as ['/bin/sh', '-c', 'full command string']
-    const commandString = command
-      .map((arg) => {
-        // Shell metacharacters that require quoting: space, quotes, equals, dollar, backticks, semicolons, pipes, etc.
-        if (/[\s,"'=$`;&|<>(){}[\]\\*?~]/.test(arg) && !/^".*"$/.test(arg)) {
-          // Escape all quotes and backslashes, then wrap in double quotes
-          return `"${arg.replace(/(["\\])/g, '\\$1')}"`;
-        }
-        return arg;
-      })
-      .join(' ');
+    // Use POSIX single-quote escaping for each argument to prevent injection
+    const commandString = command.map((arg) => shellEscapeArg(arg)).join(' ');
 
     escapedCommand = ['/bin/sh', '-c', commandString];
   }

diff --git a/src/utils/log_capture.ts b/src/utils/log_capture.ts
@@ -36,6 +36,15 @@ export interface LogSession {
  */
 export type SubsystemFilter = 'app' | 'all' | 'swiftui' | string[];
 
+/**
+ * Escape a string for safe use inside a double-quoted NSPredicate string literal.
+ * Backslash-escapes any backslashes and double quotes so the value cannot
+ * break out of the `"..."` context in predicates like `subsystem == "VALUE"`.
+ */
+function escapePredicateString(value: string): string {
+  return value.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+}
+
 /**
  * Build the predicate string for log filtering based on subsystem filter option.
  */
@@ -45,18 +54,22 @@ function buildLogPredicate(bundleId: string, subsystemFilter: SubsystemFilter):
     return null;
   }
 
+  const safeBundleId = escapePredicateString(bundleId);
+
   if (subsystemFilter === 'app') {
-    return `subsystem == "${bundleId}"`;
+    return `subsystem == "${safeBundleId}"`;
   }
 
   if (subsystemFilter === 'swiftui') {
     // Include both app logs and SwiftUI logs (for Self._printChanges())
-    return `subsystem == "${bundleId}" OR subsystem == "com.apple.SwiftUI"`;
+    return `subsystem == "${safeBundleId}" OR subsystem == "com.apple.SwiftUI"`;
   }
 
   // Custom array of subsystems - always include the app's bundle ID
   const subsystems = new Set([bundleId, ...subsystemFilter]);
-  const predicates = Array.from(subsystems).map((s) => `subsystem == "${s}"`);
+  const predicates = Array.from(subsystems).map(
+    (s) => `subsystem == "${escapePredicateString(s)}"`,
+  );
   return predicates.join(' OR ');
 }
 

diff --git a/src/utils/shell-escape.ts b/src/utils/shell-escape.ts
@@ -0,0 +1,15 @@
+/**
+ * POSIX-safe shell argument escaping.
+ *
+ * Wraps a string in single quotes and escapes any embedded single quotes
+ * using the standard `'\''` technique. This is the safest way to pass
+ * arbitrary strings as arguments to `/bin/sh -c` commands.
+ *
+ * @param arg The argument to escape for safe shell interpolation
+ * @returns A single-quoted, safely escaped string
+ */
+export function shellEscapeArg(arg: string): string {
+  // Replace each single quote with: end current quote, escaped single quote, start new quote
+  // Then wrap the whole thing in single quotes
+  return "'" + arg.replace(/'/g, "'\\''") + "'";
+}