GitHub Project Exposes Critical Shell Injection Flaw in AppleScript Rename Function

A critical security vulnerability has been exposed in a GitHub project's file renaming function, where the use of AppleScript creates a direct path for shell injection attacks. The flaw allows attackers to inject arbitrary AppleScript commands by manipulating filenames containing shell metacharacters, as the project's simple quote-escaping method is fundamentally insufficient. This security hole is compounded by severe reliability failures, where batch operations silently time out and skip files after approximately 90 renames, leaving users with no indication of partial failure.

The vulnerability resides in the current implementation, which spawns a separate `osascript` process for each file using `spawnSync()`. The code attempts to escape double quotes in file paths, but this defense is easily bypassed. This design not only opens a security backdoor but also introduces operational fragility. A single `try/catch` block wrapped around the entire rename loop means any mid-batch failure leaves the file system in an inconsistent and unrecoverable state, with no mechanism to roll back changes.

The proposed solution is a complete architectural shift: replacing the insecure AppleScript calls with Node.js's native `fs.rename()` function. This move eliminates the shell injection vector by removing the dependency on spawning external processes and interpreting user input as code. It also promises to resolve the batch timeout and silent failure issues inherent in the asynchronous process spawning model. The fix is labeled as the critical priority that must be implemented before any other changes, highlighting the severity of the exposed risks to both security and data integrity.