fix: dockerAsync shell command built from environment values

[odaysec]

insomnia/packages/insomnia/customSign.js

Lines 1 to 4 in bae9452

	const { exec } = require('child_process');
	const util = require('util');
	const path = require('path');
	const execAsync = util.promisify(exec);

insomnia/packages/insomnia/customSign.js

Lines 44 to 52 in bae9452

	console.log('[customSign] Docker command:', dockerCommand);
	console.log('[customSign] Starting to run sign cmd via docker...');
	const { stdout, stderr } = await execAsync(dockerCommand);
	console.log('[customSign] Docker command output:', stdout);
	if (stderr) {
	console.error('[customSign] Docker command error output:', stderr);
	}

fix this problem, remove string-based shell interpolation with exec, and switch to child_process.spawn (or execFile) with argument arrays. Specifically, the docker command line must be split into command and arguments and each dynamic value provided as a separate array element, avoiding unintended shell interpretation.

Steps:

• Replace execAsync(dockerCommand) with a call to spawn or execFile (preferably promisified).
• Split the constructed docker command into a command (docker) and an array of arguments (including run, --rm, -v, etc.).
• Pass dynamic values (directoryPath, environment vars, etc.) as array arguments, not within interpolated strings.
• Properly handle stdout/stderr as before.
• Add necessary import (promisify), and update function to await the spawned process.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[jackkav]

Cool contribution thanks, this code is only run by electron-builder during the packaging process, I don't see an exploit vector, but it looks like it adheres to better secure coding practices.