microsoft · benibenj · May 3, 2024 · May 2, 2024 · May 2, 2024 · May 2, 2024
diff --git a/src/package.ts b/src/package.ts
@@ -395,25 +395,59 @@ export async function versionBump(options: IVersionBumpOptions): Promise<void> {
 			}
 	}
 
+
 	// call `npm version` to do our dirty work
 	const args = ['version', options.version];
 
-	if (options.commitMessage) {
-		args.push('-m', options.commitMessage);
+	const isWindows = process.platform === 'win32';
+
+	const commitMessage = isWindows ? sanitizeCommitMessage(options.commitMessage) : options.commitMessage;
+	if (commitMessage) {
+		args.push('-m', commitMessage);
 	}
 
 	if (!(options.gitTagVersion ?? true)) {
 		args.push('--no-git-tag-version');
 	}
 
-	const { stdout, stderr } = await promisify(cp.execFile)(process.platform === 'win32' ? 'npm.cmd' : 'npm', args, { cwd });
-
+	const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ });
 	if (!process.env['VSCE_TESTS']) {
 		process.stdout.write(stdout);
 		process.stderr.write(stderr);
 	}
 }
 
+function sanitizeCommitMessage(message?: string): string | undefined {
+	if (!message) {
+		return undefined;
+	}
+
+	// Check for characters that might escape quotes or introduce shell commands.
+	// Don't allow: ', ", `, $, \ (except for \n)
+	const unsafeRegex = /(?<!\\)\\(?!n)|['"`$]/g;
+
+	// Remove any unsafe characters found by the unsafeRegex
+	const sanitizedMessage = message.replace(unsafeRegex, '');
+
+	// Additional check to make sure nothing potentially dangerous is still in the string
+	if ([`'`, `"`, '`', '$'].some(char => sanitizedMessage.includes(char))) {
+		throw new Error('Commit message contains potentially dangerous characters after initial sanitization.');
+	}
+
+	for (let index = 0; index < sanitizedMessage.length; index++) {
+		const char = sanitizedMessage[index];
+		if (char === '\\' && sanitizedMessage[index + 1] !== 'n') {
+			throw new Error('Commit message contains potentially dangerous characters after initial sanitization.');
+		}
+	}
+
+	if (sanitizedMessage.length === 0) {
+		return undefined;
+	}
+
+	return `"${sanitizedMessage}"`;
+}
+
 export const Targets = new Set([
 	'win32-x64',
 	'win32-arm64',

diff --git a/src/test/package.test.ts b/src/test/package.test.ts
@@ -2940,7 +2940,7 @@ describe('version', function () {
 	const fixtureFolder = fixture('vsixmanifest');
 	let cwd: string;
 
-	const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8' });
+	const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8', shell: true });
 
 	beforeEach(() => {
 		dir = tmp.dirSync({ unsafeCleanup: true });