@@ -395,25 +395,46 @@ export async function versionBump(options: IVersionBumpOptions): Promise<void> {
395395 }
396396 }
397397
398+
398399 // call `npm version` to do our dirty work
399400 const args = [ 'version' , options . version ] ;
400401
401- if ( options . commitMessage ) {
402- args . push ( '-m' , options . commitMessage ) ;
402+ const isWindows = process . platform === 'win32' ;
403+
404+ const commitMessage = isWindows ? sanitizeCommitMessage ( options . commitMessage ) : options . commitMessage ;
405+ if ( commitMessage ) {
406+ args . push ( '-m' , commitMessage ) ;
403407 }
404408
405409 if ( ! ( options . gitTagVersion ?? true ) ) {
406410 args . push ( '--no-git-tag-version' ) ;
407411 }
408412
409- const { stdout, stderr } = await promisify ( cp . execFile ) ( process . platform === 'win32' ? 'npm.cmd' : 'npm' , args , { cwd } ) ;
410-
413+ const { stdout, stderr } = await promisify ( cp . execFile ) ( isWindows ? 'npm.cmd' : 'npm' , args , { cwd, shell : isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ } ) ;
411414 if ( ! process . env [ 'VSCE_TESTS' ] ) {
412415 process . stdout . write ( stdout ) ;
413416 process . stderr . write ( stderr ) ;
414417 }
415418}
416419
420+ function sanitizeCommitMessage ( message ?: string ) : string | undefined {
421+ if ( ! message ) {
422+ return undefined ;
423+ }
424+
425+ // Remove any unsafe characters found by the unsafeRegex
426+ // Check for characters that might escape quotes or introduce shell commands.
427+ // Don't allow: ', ", `, $, \ (except for \n which is allowed)
428+ const sanitizedMessage = message . replace ( / (?< ! \\ ) \\ (? ! n ) | [ ' " ` $ ] / g, '' ) ;
429+
430+ if ( sanitizedMessage . length === 0 ) {
431+ return undefined ;
432+ }
433+
434+ // Add quotes as commit message is passed as a single argument to the shell
435+ return `"${ sanitizedMessage } ;
436+ }
437+
417438export const Targets = new Set ( [
418439 'win32-x64' ,
419440 'win32-arm64' ,
0 commit comments