From 0d9591205e6820968916ddf14c19a317e75244f8 Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Thu, 30 Apr 2026 09:14:17 +0000 Subject: [PATCH 1/2] fix: javascript.lang.security.detect-child-process.detect-child-process security vulnerability Automated security fix generated by Orbis Security AI --- scripts/find-unused-diganostic-messages.mjs | 62 ++++++++++----------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/scripts/find-unused-diganostic-messages.mjs b/scripts/find-unused-diganostic-messages.mjs index 0b2ddbdd41f6a..9d82fad05763f 100644 --- a/scripts/find-unused-diganostic-messages.mjs +++ b/scripts/find-unused-diganostic-messages.mjs @@ -1,31 +1,31 @@ -// This file requires a modern version of node 14+, and grep to be available. - -// node scripts/find-unused-diagnostic-messages.mjs -import { execSync } from "child_process"; -import { readFileSync } from "fs"; -import { EOL } from "os"; - -const diags = readFileSync("src/compiler/diagnosticInformationMap.generated.ts", "utf8"); -const startOfDiags = diags.split("export const Diagnostics")[1]; - -/** @type {string[]} */ -const missingNames = []; -startOfDiags.split(EOL).forEach(line => { - if (!line.includes(":")) return; - const diagName = line.split(":")[0].trim(); - - try { - execSync(`grep -rnw 'src' -e 'Diagnostics.${diagName}'`).toString(); - process.stdout.write("."); - } - catch { - missingNames.push(diagName); - process.stdout.write("x"); - } -}); - -if (missingNames.length) { - process.exitCode = 1; - console.log("Could not find usage of these diagnostics in the codebase:"); - console.log(missingNames); -} +// This file requires a modern version of node 14+, and grep to be available. + +// node scripts/find-unused-diagnostic-messages.mjs +import { execFileSync } from "child_process"; +import { readFileSync } from "fs"; +import { EOL } from "os"; + +const diags = readFileSync("src/compiler/diagnosticInformationMap.generated.ts", "utf8"); +const startOfDiags = diags.split("export const Diagnostics")[1]; + +/** @type {string[]} */ +const missingNames = []; +startOfDiags.split(EOL).forEach(line => { + if (!line.includes(":")) return; + const diagName = line.split(":")[0].trim(); + + try { + execFileSync("grep", ["-rnw", "src", "-e", `Diagnostics.${diagName}`]); + process.stdout.write("."); + } + catch { + missingNames.push(diagName); + process.stdout.write("x"); + } +}); + +if (missingNames.length) { + process.exitCode = 1; + console.log("Could not find usage of these diagnostics in the codebase:"); + console.log(missingNames); +} From 1e249b0ebc2b39421524ee04077d41131b9c83a3 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Sat, 2 May 2026 16:33:30 +0530 Subject: [PATCH 2/2] refactor: use execFileSync in find-unused-diagnostic-messages script Replaces execSync (shell string interpolation) with execFileSync (argument array) to avoid shell expansion entirely. diagName is derived from repo-controlled diagnostic identifiers so there is no practical injection risk, but the array form is the more idiomatic and robust Node.js pattern for invoking subprocesses. Also restores original CRLF line endings to avoid unrelated line-ending noise in the diff. Co-Authored-By: Claude Sonnet 4.6 --- scripts/find-unused-diganostic-messages.mjs | 62 ++++++++++----------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/scripts/find-unused-diganostic-messages.mjs b/scripts/find-unused-diganostic-messages.mjs index 9d82fad05763f..decfaa4389cca 100644 --- a/scripts/find-unused-diganostic-messages.mjs +++ b/scripts/find-unused-diganostic-messages.mjs @@ -1,31 +1,31 @@ -// This file requires a modern version of node 14+, and grep to be available. - -// node scripts/find-unused-diagnostic-messages.mjs -import { execFileSync } from "child_process"; -import { readFileSync } from "fs"; -import { EOL } from "os"; - -const diags = readFileSync("src/compiler/diagnosticInformationMap.generated.ts", "utf8"); -const startOfDiags = diags.split("export const Diagnostics")[1]; - -/** @type {string[]} */ -const missingNames = []; -startOfDiags.split(EOL).forEach(line => { - if (!line.includes(":")) return; - const diagName = line.split(":")[0].trim(); - - try { - execFileSync("grep", ["-rnw", "src", "-e", `Diagnostics.${diagName}`]); - process.stdout.write("."); - } - catch { - missingNames.push(diagName); - process.stdout.write("x"); - } -}); - -if (missingNames.length) { - process.exitCode = 1; - console.log("Could not find usage of these diagnostics in the codebase:"); - console.log(missingNames); -} +// This file requires a modern version of node 14+, and grep to be available. + +// node scripts/find-unused-diagnostic-messages.mjs +import { execFileSync } from "child_process"; +import { readFileSync } from "fs"; +import { EOL } from "os"; + +const diags = readFileSync("src/compiler/diagnosticInformationMap.generated.ts", "utf8"); +const startOfDiags = diags.split("export const Diagnostics")[1]; + +/** @type {string[]} */ +const missingNames = []; +startOfDiags.split(EOL).forEach(line => { + if (!line.includes(":")) return; + const diagName = line.split(":")[0].trim(); + + try { + execFileSync("grep", ["-rnw", "src", "-e", `Diagnostics.${diagName}`]); + process.stdout.write("."); + } + catch { + missingNames.push(diagName); + process.stdout.write("x"); + } +}); + +if (missingNames.length) { + process.exitCode = 1; + console.log("Could not find usage of these diagnostics in the codebase:"); + console.log(missingNames); +}