* Generates placeholder strings with random salt to prevent injection attacks. * The salt prevents malicious commands from containing literal placeholder strings * that would be replaced during parsing, allowing command argument injection. * * Security: This is critical for preventing attacks wh
()
| 18 | * `sort __SINGLE_QUOTE__ hello --help __SINGLE_QUOTE__` could inject arguments. |
| 19 | */ |
| 20 | function generatePlaceholders(): { |
| 21 | SINGLE_QUOTE: string |
| 22 | DOUBLE_QUOTE: string |
| 23 | NEW_LINE: string |
| 24 | ESCAPED_OPEN_PAREN: string |
| 25 | ESCAPED_CLOSE_PAREN: string |
| 26 | } { |
| 27 | // Generate 8 random bytes as hex (16 characters) for salt |
| 28 | const salt = randomBytes(8).toString('hex') |
| 29 | return { |
| 30 | SINGLE_QUOTE: `__SINGLE_QUOTE_${salt}__`, |
| 31 | DOUBLE_QUOTE: `__DOUBLE_QUOTE_${salt}__`, |
| 32 | NEW_LINE: `__NEW_LINE_${salt}__`, |
| 33 | ESCAPED_OPEN_PAREN: `__ESCAPED_OPEN_PAREN_${salt}__`, |
| 34 | ESCAPED_CLOSE_PAREN: `__ESCAPED_CLOSE_PAREN_${salt}__`, |
| 35 | } |
| 36 | } |
| 37 | |
| 38 | // File descriptors for standard input/output/error |
| 39 | // https://en.wikipedia.org/wiki/File_descriptor#Standard_streams |
no test coverage detected