fix(utils): resolve command injection vulnerability in emptyFolder

mhassan1 · mhassan1 · commit c96ca5b5eb82 · 2025-09-16T13:33:39.000-04:00
diff --git a/lib/utils.js b/lib/utils.js
@@ -477,7 +477,11 @@ module.exports.isNotSet = function (obj) {
 }
 
 module.exports.emptyFolder = directoryPath => {
-  require('child_process').execSync(`rm -rf ${directoryPath}/*`)
+  // Do not throw on non-existent directory, since it may be created later
+  if (!fs.existsSync(directoryPath)) return
+  for (const file of fs.readdirSync(directoryPath)) {
+    fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })
+  }
 }
 
 module.exports.printObjectProperties = obj => {

Original file line number	Diff line number	Diff line change
`@@ -477,7 +477,11 @@ module.exports.isNotSet = function (obj) {`
`477`	`477`	`}`
`478`	`478`
`479`	`479`	`module.exports.emptyFolder = directoryPath => {`
`480`		- require('child_process').execSync(`rm -rf ${directoryPath}/*`)
	`480`	`+ // Do not throw on non-existent directory, since it may be created later`
	`481`	`+ if (!fs.existsSync(directoryPath)) return`
	`482`	`+ for (const file of fs.readdirSync(directoryPath)) {`
	`483`	`+ fs.rmSync(path.join(directoryPath, file), { recursive: true, force: true })`
	`484`	`+ }`
`481`	`485`	`}`
`482`	`486`
`483`	`487`	`module.exports.printObjectProperties = obj => {`