CodeQL Flags Command Injection Risk in neilcochran/squawk Repository Build Script

A CodeQL automated security scan has identified three instances of indirect uncontrolled command line injection vulnerabilities in the neilcochran/squawk project. The flaws reside in scripts/build-data.js at lines 122, 139, and 155, where the codebase uses execSync() with string interpolation—a pattern that allows malicious input to be passed through to the system shell if the interpolated strings are user-controlled.

The vulnerability falls under CodeQL Rule js/indirect-command-line-injection. According to the alert details, the affected code constructs shell commands dynamically using string concatenation rather than passing arguments as a structured array. This approach bypasses the shell's argument parsing protections and creates a potential vector for arbitrary command execution depending on how the interpolated variables are populated. The same repository already contains the preferred safe pattern elsewhere in its codebase: execFileSync() with an arguments array, which passes input directly to the child process without shell interpretation.

The alert carries a medium severity rating. While the risk depends on whether external or untrusted input reaches the affected code paths, the existence of three separate instances in a single build script suggests a localized pattern of unsafe practices rather than an isolated mistake. The recommended remediation is straightforward: refactor the three lines to use execFileSync(cmd, argsArray) instead of execSync() with interpolated strings. Organizations using this repository should evaluate whether their specific integration scenarios expose these code paths to controlled input, as the fix would eliminate the entire class of injection risk at those locations.