From 899630341be9ad32bef27be70b3352276f79bdde Mon Sep 17 00:00:00 2001
From: vinayakg <vinayakg@live.com>
Date: Thu, 29 Jan 2026 12:30:24 +0530
Subject: [PATCH] fix: prevent command injection in Prettier hook (#102)

Security fix: Prevent command injection in Prettier hook by using execFileSync with array arguments instead of execSync with string concatenation.
---
 hooks/hooks.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hooks/hooks.json b/hooks/hooks.json
index 04b4a82..4a974af 100644
--- a/hooks/hooks.json
+++ b/hooks/hooks.json
@@ -105,7 +105,7 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node -e \"const{execSync}=require('child_process');const fs=require('fs');let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{const i=JSON.parse(d);const p=i.tool_input?.file_path;if(p&&fs.existsSync(p)){try{execSync('npx prettier --write \"'+p+'\"',{stdio:['pipe','pipe','pipe']})}catch(e){}}console.log(d)})\""
+            "command": "node -e \"const{execFileSync}=require('child_process');const fs=require('fs');let d='';process.stdin.on('data',c=>d+=c);process.stdin.on('end',()=>{const i=JSON.parse(d);const p=i.tool_input?.file_path;if(p&&fs.existsSync(p)){try{execFileSync('npx',['prettier','--write',p],{stdio:['pipe','pipe','pipe']})}catch(e){}}console.log(d)})\""
           }
         ],
         "description": "Auto-format JS/TS files with Prettier after edits"