From 1030c2df52dac40ddf26bf33caca2a9d6054387a Mon Sep 17 00:00:00 2001
From: phukon <hello@rikiphukon.com>
Date: Tue, 14 Jan 2025 05:35:55 +0530
Subject: [PATCH] fix(security): prevent command injection in git config

- Replace string interpolation with execFile to avoid shell injection
- Use array arguments instead of command string concatenation
---
 src/utils/setGitConfig.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/utils/setGitConfig.ts b/src/utils/setGitConfig.ts
index d1c2eb1..321766e 100644
--- a/src/utils/setGitConfig.ts
+++ b/src/utils/setGitConfig.ts
@@ -1,14 +1,14 @@
 import input from '@inquirer/input';
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import { promisify } from 'util';
 import chalk from 'chalk';
 import { GitKeyKitCodes } from '../gitkeykitCodes';
 
-const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 
 async function getGpgKeyFingerprint(): Promise<string> {
   try {
-    const { stdout } = await execAsync('gpg --list-secret-keys');
+    const { stdout } = await execFileAsync('gpg --list-secret-keys');
     
     // Find the longest string that could be a fingerprint
     const lines = stdout.split('\n');
@@ -39,7 +39,7 @@ async function getGpgKeyFingerprint(): Promise<string> {
 
 async function setGitConfigValue(key: string, value: string): Promise<void> {
   try {
-    await execAsync(`git config --global ${key} "${value}"`);
+    await execFileAsync('git', ['config', '--global', key, value]);
   } catch (error) {
     throw new Error(`Error setting git config ${key}`);
   }