Merge pull request #1354 from jeffersonfelixdev/hotfix/issue-1348

Hotfix - shell injection vulnerability

CHANGELOG.md

@@ -1,3 +1,9 @@
+# 2.2.4 (hotfix)
+
+### Fixed
+
+* Shell injection vulnerability
+
 # 2.2.3 (2025-02-03 11:52)
 
 ### Fixed

src/api/provider/sessions.ts

@@ -1,7 +1,7 @@
 import { Auth, ConfigService, ProviderSession } from '@config/env.config';
 import { Logger } from '@config/logger.config';
 import axios from 'axios';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 
 type ResponseSuccess = { status: number; data?: any };
 type ResponseProvider = Promise<[ResponseSuccess?, Error?]>;
@@ -36,7 +36,7 @@ export class ProviderFiles {
       } catch (error) {
         this.logger.error(['Failed to connect to the file server', error?.message, error?.stack]);
         const pid = process.pid;
-        execSync(`kill -9 ${pid}`);
+        execFileSync('kill', ['-9', `${pid}`]);
       }
     }
   }

src/api/services/monitor.service.ts

@@ -7,7 +7,7 @@ import { CacheConf, Chatwoot, ConfigService, Database, DelInstance, ProviderSess
 import { Logger } from '@config/logger.config';
 import { INSTANCE_DIR, STORE_DIR } from '@config/path.config';
 import { NotFoundException } from '@exceptions';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import EventEmitter2 from 'eventemitter2';
 import { rmSync } from 'fs';
 import { join } from 'path';
@@ -169,7 +169,8 @@ export class WAMonitoringService {
 
   public async cleaningStoreData(instanceName: string) {
     if (this.configService.get<Chatwoot>('CHATWOOT').ENABLED) {
-      execSync(`rm -rf ${join(STORE_DIR, 'chatwoot', instanceName + '*')}`);
+      const instancePath = join(STORE_DIR, 'chatwoot', instanceName);
+      execFileSync('rm', ['-rf', instancePath]);
     }
 
     const instance = await this.prismaRepository.instance.findFirst({