phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-24 15:33:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Kelsidavis-WoWee/tools/editor/cli_subprocess.hpp
Kelsi c4fcabbe1b fix(security): replace std::system with shell-free posix_spawn helper 
CodeQL flagged 21 cpp/command-line-injection alerts in tools/editor/.
All matched the same pattern: build a shell command string from
argv[0] + a user-supplied path, then std::system() it. Even though
the threat model (user invokes their own CLI on their own machine)
makes the alert mostly academic, the std::system path is also
fragile — paths with spaces, quotes, or shell metacharacters
silently break.

Add tools/editor/cli_subprocess.{hpp,cpp} exposing a single
runChild(argv0, args, quiet=false) that uses posix_spawn on POSIX
and CreateProcess on Windows. No shell, argv passed verbatim,
optional stdout/stderr redirect to /dev/null (NUL on Windows).

Refactor 14 call sites across cli_convert.cpp, cli_data_tree.cpp,
cli_format_validate.cpp, cli_items.cpp, cli_random.cpp,
cli_repair.cpp, cli_spawn_audit.cpp.

Also fix two cpp/integer-multiplication-cast-to-long alerts:
- cli_gen_texture.cpp:3049 — seeds.reserve grid-size product
- cli_convert_single.cpp:224 — vector size for DBC record block
Both now widen one operand to size_t before multiplying.
2026-05-13 18:25:06 -07:00

31 lines
1 KiB
C++
Raw Blame History

#pragma once
// Portable subprocess launcher for the editor CLI. Replaces std::system()
// with direct posix_spawn / CreateProcess calls so we avoid invoking a
// shell — both for safety (CodeQL cpp/command-line-injection) and for
// correctness (paths with spaces, quotes, or metacharacters work
// without manual escaping).
#include <string>
#include <vector>
namespace wowee {
namespace editor {
namespace cli {
// Spawn `argv0` with `args` (excluding argv0 itself), wait for it to
// finish, return its exit code. No shell is invoked, so arguments are
// passed verbatim — quoting is unnecessary and forbidden.
//
// If `quiet` is true, the child's stdout and stderr are redirected to
// the platform null device (/dev/null on POSIX, NUL on Windows).
//
// On launch failure the function returns -1 and writes a diagnostic to
// stderr.
int runChild(const std::string& argv0,
const std::vector<std::string>& args,
bool quiet = false);
} // namespace cli
} // namespace editor
} // namespace wowee
Reference in a new issue View git blame Copy permalink