From 00b4a235512198bb7d7583a67b835024bd528812 Mon Sep 17 00:00:00 2001
From: David Dworken <dworken@anthropic.com>
Date: Fri, 18 Jul 2025 09:58:22 -0700
Subject: [PATCH] fix: prevent command injection in git hash-object call (#297)

* Update package name to reference under the @Anthropic-AI NPM org

* fix: prevent command injection in git hash-object call

* Revert accidental change
---
 src/github/data/fetcher.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/github/data/fetcher.ts b/src/github/data/fetcher.ts
index b1dc26d..160c724 100644
--- a/src/github/data/fetcher.ts
+++ b/src/github/data/fetcher.ts
@@ -1,4 +1,4 @@
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import type { Octokits } from "../api/client";
 import { ISSUE_QUERY, PR_QUERY, USER_QUERY } from "../api/queries/github";
 import type {
@@ -114,7 +114,7 @@ export async function fetchGitHubData({
 
       try {
         // Use git hash-object to compute the SHA for the current file content
-        const sha = execSync(`git hash-object "${file.path}"`, {
+        const sha = execFileSync("git", ["hash-object", file.path], {
           encoding: "utf-8",
         }).trim();
         return {