Fix command injection vulnerability in editor launch (execSync → spawnSync)

[Copilot]

execSync was used to launch the user's editor by interpolating $EDITOR/$VISUAL and the temp file path directly into a shell string, making it vulnerable to failures or exploitation if either contained spaces or shell metacharacters.

Changes

• src/commands/entries.ts: Replace execSync with spawnSync, passing the temp file path via a dedicated env var (CODEX_TMPFILE) and referencing it with double-quoting in the shell command. The shell is selected based on the current platform (cmd /c on Windows, $SHELL ?? '/bin/sh' on Unix). A check on result.status ensures that non-zero editor exit codes (e.g. user cancels) are treated as errors rather than silent successes:

// Before
execSync(`${editor} ${tmpFile}`, { stdio: 'inherit' });

// After
const isWindows = process.platform === 'win32';
const shell = isWindows ? 'cmd' : (process.env.SHELL ?? '/bin/sh');
const shellArgs = isWindows
  ? ['/c', `${editor} "%CODEX_TMPFILE%"`]
  : ['-c', `${editor} "$CODEX_TMPFILE"`];
const result = spawnSync(shell, shellArgs, {
  stdio: 'inherit',
  env: { ...process.env, CODEX_TMPFILE: tmpFile },
});
if (result.error) throw result.error;
if (result.status !== 0 && result.status !== null) {
  throw new Error(`Editor exited with code ${result.status}`);
}

This isolates tmpFile from shell word-splitting and expansion, works correctly on both Unix and Windows, and propagates editor failures properly.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR addresses a command injection vulnerability in the editEntry function by replacing execSync with spawnSync and passing the temporary file path via an environment variable instead of direct string interpolation.

Changes:

• Replaced execSync with spawnSync to launch the editor, isolating the temp file path from shell word-splitting and expansion by passing it via the CODEX_TMPFILE environment variable

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The hardcoded 'sh' shell will fail on Windows systems. Consider using process.platform === 'win32' ? 'cmd' : 'sh' or following the pattern from line 107 which uses process.env.SHELL ?? '/bin/sh' to respect the user's configured shell. However, note that Windows may require different handling (e.g., using 'cmd' with /c or 'powershell' with -Command).

[seabearDEV]

@copilot apply changes based on this feedback

[Copilot]

Applied in commit f15d1bb — shell is now cmd /c on Windows (with %CODEX_TMPFILE%) and $SHELL ?? '/bin/sh' with -c on Unix (with "$CODEX_TMPFILE").

[seabearDEV]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Applied both changes in commit f15d1bb:

• Shell is now selected based on platform: cmd /c on Windows (with %CODEX_TMPFILE%), $SHELL ?? '/bin/sh' with -c on Unix (with "$CODEX_TMPFILE")
• Added result.status check to throw when the editor exits with a non-zero code

[seabearDEV]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

These changes were already applied in commit f15d1bb — Windows-aware shell selection and the result.status non-zero exit code check are both in place.