Fix critical security vulnerabilities

VibeCodingWithPhil · VibeCodingWithPhil · commit a3af39091a09 · 2025-08-31T23:15:00.000+02:00
- Update Next.js from 14.2.30 to 14.2.32 to fix CVE-2025-57752, CVE-2025-55173, CVE-2025-57822 - Fix command injection vulnerabilities (CWE-78) by replacing exec with execFile - Fix insecure randomness (CWE-338) by using crypto.randomBytes - Remove clear-text password logging (CWE-312) - Secure all Git operations with proper argument sanitization Security improvements: - GitHubRepoManager: Use execFile for safe command execution - CreateProjectWizard: Use crypto for secure random generation - DatabaseWizard: Remove password from logs - UnifiedProjectSetup: Use execFile to prevent injection - AutoCommitManager: Sanitize all Git commands properly
diff --git a/src/database/DatabaseWizard.ts b/src/database/DatabaseWizard.ts
@@ -726,7 +726,7 @@ export class DatabaseWizard {
   private async askCredentialInput(input: WizardCredentialInput): Promise<string> {
     const prompt = `${input.label}${input.required ? ' (required)' : ' (optional)'}: `;
     
-    if (input.description) {
+    if (input.description && input.name !== 'password') {
       console.log(`  ${input.description}`);
     }
     
diff --git a/src/github/GitHubRepoManager.ts b/src/github/GitHubRepoManager.ts
@@ -1,5 +1,5 @@
 import { AxiosInstance } from 'axios';
-import { exec } from 'child_process';
+import { exec, execFile } from 'child_process';
 import { promises as fs } from 'fs';
 import { join } from 'path';
 import { promisify } from 'util';
@@ -15,6 +15,7 @@ import {
 } from './types';
 
 const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 
 export class GitHubRepoManager {
   private httpClient: AxiosInstance;
@@ -276,7 +277,7 @@ export class GitHubRepoManager {
       const repository = await this.getRepository(repo);
       const cloneUrl = useSsh ? repository.sshUrl : repository.cloneUrl;
 
-      await execAsync(`git clone ${cloneUrl} "${localPath}"`);
+      await execFileAsync('git', ['clone', cloneUrl, localPath]);
     } catch (error: any) {
       throw new Error(`Failed to clone repository: ${error.message}`);
     }
@@ -309,10 +310,10 @@ export class GitHubRepoManager {
       try {
         await execAsync('git remote get-url origin', { cwd: localPath });
         // If it exists, update it
-        await execAsync(`git remote set-url origin ${remoteUrl}`, { cwd: localPath });
+        await execFileAsync('git', ['remote', 'set-url', 'origin', remoteUrl], { cwd: localPath });
       } catch {
         // If it doesn't exist, add it
-        await execAsync(`git remote add origin ${remoteUrl}`, { cwd: localPath });
+        await execFileAsync('git', ['remote', 'add', 'origin', remoteUrl], { cwd: localPath });
       }
 
       // Push current branch
diff --git a/src/monitor/package-lock.json b/src/monitor/package-lock.json
diff --git a/src/monitor/package.json b/src/monitor/package.json
@@ -28,7 +28,7 @@
     "d3": "^7.9.0",
     "express": "^4.18.2",
     "lucide-react": "^0.294.0",
-    "next": "14.2.30",
+    "next": "^14.2.32",
     "react": "^18.2.0",
     "react-dom": "^18.2.0",
     "recharts": "^2.10.3",
diff --git a/src/protection/AutoCommitManager.ts b/src/protection/AutoCommitManager.ts
@@ -1,7 +1,7 @@
 import * as fs from 'fs-extra';
 import * as path from 'path';
 import * as chokidar from 'chokidar';
-import { exec } from 'child_process';
+import { exec, execFile } from 'child_process';
 import { promisify } from 'util';
 import { 
   AutoCommitConfig, 
@@ -14,6 +14,7 @@ import {
 } from './types';
 
 const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 
 export class AutoCommitManager {
   private config: AutoCommitConfig;
@@ -123,7 +124,7 @@ export class AutoCommitManager {
 
   private async validateGitRepository(): Promise<void> {
     try {
-      await execAsync('git rev-parse --is-inside-work-tree');
+      await execFileAsync('git', ['rev-parse', '--is-inside-work-tree']);
     } catch (error) {
       throw new ProtectionError(
         'Not a git repository',
@@ -488,21 +489,19 @@ export class AutoCommitManager {
   private async gitCommit(filePaths: string[], message: string): Promise<CommitInfo> {
     try {
       // Add files to staging
-      const addCommand = `git add ${filePaths.map(p => `"${p}"`).join(' ')}`;
-      await execAsync(addCommand);
+      await execFileAsync('git', ['add', ...filePaths]);
       
       // Commit with message
-      const commitCommand = `git commit -m "${message.replace(/"/g, '\\"')}"`;
-      const { stdout } = await execAsync(commitCommand);
+      const { stdout } = await execFileAsync('git', ['commit', '-m', message]);
       
       // Get commit info
-      const { stdout: hashOutput } = await execAsync('git rev-parse HEAD');
+      const { stdout: hashOutput } = await execFileAsync('git', ['rev-parse', 'HEAD']);
       const hash = hashOutput.trim();
       
-      const { stdout: authorOutput } = await execAsync('git config user.name');
+      const { stdout: authorOutput } = await execFileAsync('git', ['config', 'user.name']);
       const author = authorOutput.trim();
       
-      const { stdout: branchOutput } = await execAsync('git rev-parse --abbrev-ref HEAD');
+      const { stdout: branchOutput } = await execFileAsync('git', ['rev-parse', '--abbrev-ref', 'HEAD']);
       const branch = branchOutput.trim();
       
       const commitInfo: CommitInfo = {
@@ -591,8 +590,14 @@ export class AutoCommitManager {
 
   async getCommitHistory(limit: number = 10): Promise<CommitInfo[]> {
     try {
-      const command = `git log --oneline -n ${limit} --pretty=format:"%H|%s|%an|%ad" --date=iso`;
-      const { stdout } = await execAsync(command);
+      const { stdout } = await execFileAsync('git', [
+        'log',
+        '--oneline',
+        '-n',
+        String(limit),
+        '--pretty=format:%H|%s|%an|%ad',
+        '--date=iso'
+      ]);
       
       if (!stdout.trim()) {
         return [];
diff --git a/src/wizard/CreateProjectWizard.ts b/src/wizard/CreateProjectWizard.ts
@@ -867,7 +867,9 @@ export class CreateProjectWizard extends EventEmitter {
    * Utility methods
    */
   private generateSessionId(): string {
-    return `wizard_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+    const crypto = require('crypto');
+    const randomBytes = crypto.randomBytes(6).toString('hex');
+    return `wizard_${Date.now()}_${randomBytes}`;
   }
 
   private validateOptions(options: WizardOptions): ValidationResult {
diff --git a/src/wizard/UnifiedProjectSetup.ts b/src/wizard/UnifiedProjectSetup.ts
@@ -781,16 +781,16 @@ jobs:
 
   private async connectLocalGitToRemote(repository: any, projectPath: string): Promise<void> {
     try {
-      const { execSync } = require('child_process');
+      const { execFileSync } = require('child_process');
       
-      // Add remote origin
-      execSync(`git remote add origin ${repository.cloneUrl}`, {
+      // Add remote origin - using execFileSync to prevent command injection
+      execFileSync('git', ['remote', 'add', 'origin', repository.cloneUrl], {
         cwd: projectPath,
         stdio: 'ignore'
       });
       
       // Set upstream branch
-      execSync('git branch -M main', { cwd: projectPath, stdio: 'ignore' });
+      execFileSync('git', ['branch', '-M', 'main'], { cwd: projectPath, stdio: 'ignore' });
       
     } catch (error) {
       console.warn('Failed to connect local git to remote:', error);

Original file line number	Diff line number	Diff line change
`@@ -726,7 +726,7 @@ export class DatabaseWizard {`
`726`	`726`	`private async askCredentialInput(input: WizardCredentialInput): Promise<string> {`
`727`	`727`	const prompt = `${input.label}${input.required ? ' (required)' : ' (optional)'}: `;
`728`	`728`
`729`		`- if (input.description) {`
	`729`	`+ if (input.description && input.name !== 'password') {`
`730`	`730`	console.log(` ${input.description}`);
`731`	`731`	`}`
`732`	`732`