From cbb77715252053e91e3db296e33939c71765f445 Mon Sep 17 00:00:00 2001
From: YeonGyu-Kim <code.yeon.gyu@gmail.com>
Date: Sun, 8 Feb 2026 18:39:36 +0900
Subject: [PATCH] fix: prevent command injection in git diff stats collection

Replace execSync with string commands with execFileSync using argument
arrays to avoid shell interpretation of file paths with special chars.
---
 src/shared/git-worktree/collect-git-diff-stats.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/shared/git-worktree/collect-git-diff-stats.ts b/src/shared/git-worktree/collect-git-diff-stats.ts
index 158a09d82..49a98fe2f 100644
--- a/src/shared/git-worktree/collect-git-diff-stats.ts
+++ b/src/shared/git-worktree/collect-git-diff-stats.ts
@@ -1,11 +1,11 @@
-import { execSync } from "node:child_process"
+import { execFileSync } from "node:child_process"
 import { parseGitStatusPorcelain } from "./parse-status-porcelain"
 import { parseGitDiffNumstat } from "./parse-diff-numstat"
 import type { GitFileStat } from "./types"
 
 export function collectGitDiffStats(directory: string): GitFileStat[] {
   try {
-    const diffOutput = execSync("git diff --numstat HEAD", {
+    const diffOutput = execFileSync("git", ["diff", "--numstat", "HEAD"], {
       cwd: directory,
       encoding: "utf-8",
       timeout: 5000,
@@ -14,7 +14,7 @@ export function collectGitDiffStats(directory: string): GitFileStat[] {
 
     if (!diffOutput) return []
 
-    const statusOutput = execSync("git status --porcelain", {
+    const statusOutput = execFileSync("git", ["status", "--porcelain"], {
       cwd: directory,
       encoding: "utf-8",
       timeout: 5000,