From 8eafb09915a474853a5516b0dee9eb26c2be7420 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Wed, 18 Feb 2026 14:08:07 -0800
Subject: [PATCH] fix(security): Replace execSync with execFileSync to prevent
 command injection in clang-format script

- Replace child_process.execSync() with execFileSync() to prevent potential shell injection
- Use array of arguments instead of string concatenation for safer command execution
- Addresses command injection vulnerability flagged by Semgrep

Fixes: JS-1502
Related: VULN-1095

Co-Authored-By: fix-it-felix-sentry[bot] <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
---
 scripts/clang-format.mjs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/scripts/clang-format.mjs b/scripts/clang-format.mjs
index e74115b..4d805ca 100644
--- a/scripts/clang-format.mjs
+++ b/scripts/clang-format.mjs
@@ -1,10 +1,9 @@
 import child_process from 'child_process';
 
 const args = ['--Werror', '-i', '--style=file', 'module.cc'];
-const cmd = `./node_modules/.bin/clang-format ${args.join(' ')}`;
 
 try {
-  child_process.execSync(cmd, {stdio: 'inherit'});
+  child_process.execFileSync('./node_modules/.bin/clang-format', args, {stdio: 'inherit'});
 } catch (e) {
   // This fails on linux_arm64
   // eslint-disable-next-line no-console