fix(utils): resolve command injection vulnerability in emptyFolder (3.x) (#5190)

mhassan1 · web-flow · commit 6ff0dc6ae666 · 2025-09-21T07:08:03.000+02:00
diff --git a/lib/utils.js b/lib/utils.js
@@ -476,8 +476,12 @@ module.exports.isNotSet = function (obj) {
   return false
 }
 
-module.exports.emptyFolder = async directoryPath => {
-  require('child_process').execSync(`rm -rf ${directoryPath}/*`)
+module.exports.emptyFolder = directoryPath => {
+  // Do not throw on non-existent directory, since it may be created later
+  if (!fs.existsSync(directoryPath)) return
+  for (const file of fs.readdirSync(directoryPath)) {
+    fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })
+  }
 }
 
 module.exports.printObjectProperties = obj => {

Original file line number	Diff line number	Diff line change
`@@ -476,8 +476,12 @@ module.exports.isNotSet = function (obj) {`
`476`	`476`	`return false`
`477`	`477`	`}`
`478`	`478`
`479`		`-module.exports.emptyFolder = async directoryPath => {`
`480`		- require('child_process').execSync(`rm -rf ${directoryPath}/*`)
	`479`	`+module.exports.emptyFolder = directoryPath => {`
	`480`	`+ // Do not throw on non-existent directory, since it may be created later`
	`481`	`+ if (!fs.existsSync(directoryPath)) return`
	`482`	`+ for (const file of fs.readdirSync(directoryPath)) {`
	`483`	`+ fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })`
	`484`	`+ }`
`481`	`485`	`}`
`482`	`486`
`483`	`487`	`module.exports.printObjectProperties = obj => {`