Fix OS Command Injection vulnerabilities

Author: ProgrammerKR

main.c

@@ -20,6 +20,13 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef _WIN32
+#include <process.h>
+#else
+#include <unistd.h>
+#include <sys/wait.h>
+#endif
+
 
 static void repl(VM *vm) {
   char line[1024];
@@ -309,20 +316,40 @@ static int dispatchPRM(int argc, const char* argv[]) {
 
         if (strcmp(sub, "run") == 0) {
             printf("[PRM] Running project: %s v%s\n", pname, pversion);
-            char command[1152];
-            snprintf(command, sizeof(command), "proxpl \"%s\"", pentry);
-            printf("[PRM] Executing: %s\n", command);
-            int code = system(command);
+            printf("[PRM] Executing: proxpl %s\n", pentry);
+            int code = -1;
+            #ifdef _WIN32
+            code = _spawnlp(_P_WAIT, "proxpl", "proxpl", pentry, NULL);
+            #else
+            pid_t pid = fork();
+            if (pid == 0) {
+                execlp("proxpl", "proxpl", pentry, (char*)NULL);
+                exit(1);
+            } else if (pid > 0) {
+                int status;
+                waitpid(pid, &status, 0);
+                if (WIFEXITED(status)) code = WEXITSTATUS(status);
+            }
+            #endif
             if (code != 0) printf("[PRM] Process exited with code %d\n", code);
 
         } else if (strcmp(sub, "build") == 0) {
             int releaseMode = (argc >= 3 && strcmp(argv[2], "--release") == 0);
             printf("[PRM] Building project: %s v%s%s\n", pname, pversion, releaseMode ? " (release)" : "");
             printf("Compile-only mode not fully supported yet, running instead...\n");
-            char command[1152];
-            snprintf(command, sizeof(command), "proxpl \"%s\"", pentry);
-            printf("[PRM] Executing: %s\n", command);
-            system(command);
+            printf("[PRM] Executing: proxpl %s\n", pentry);
+            #ifdef _WIN32
+            _spawnlp(_P_WAIT, "proxpl", "proxpl", pentry, NULL);
+            #else
+            pid_t pid = fork();
+            if (pid == 0) {
+                execlp("proxpl", "proxpl", pentry, (char*)NULL);
+                exit(1);
+            } else if (pid > 0) {
+                int status;
+                waitpid(pid, &status, 0);
+            }
+            #endif
 
         } else if (strcmp(sub, "test") == 0) {
             printf("Running tests for %s...\n", pname);

src/main.c

@@ -23,6 +23,12 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef _WIN32
+#include <process.h>
+#else
+#include <unistd.h>
+#include <sys/wait.h>
+#endif
 
 void registerStdLib(VM* vm);
 
@@ -246,15 +252,6 @@ static void runFile(const char *path) {
 //   PRM Command Dispatch
 //   Returns 1 if handled as a PRM command, 0 to continue with normal dispatch
 // ============================================================
-static int isValidArg(const char* arg) {
-    if (!arg) return 0;
-    while (*arg) {
-        if (strchr("&|;><`$\\", *arg)) return 0;
-        arg++;
-    }
-    return 1;
-}
-
 static int dispatchPRM(int argc, const char* argv[]) {
     // Check if invoked as "prm" / "prm.exe" / "prm.bat"
     const char* exe = argv[0];
@@ -364,22 +361,23 @@ static int dispatchPRM(int argc, const char* argv[]) {
 
         if (strcmp(sub, "run") == 0) {
             printf("[PRM] Running project: %s v%s\n", pname, pversion);
-            char command[1152];
-            // Use argv[0] to re-invoke the same executable
-            // On Windows, system() uses cmd.exe /c string
-            // If the string starts with a quote, we need to wrap the WHOLE thing in quotes
+            printf("[PRM] Executing: %s %s\n", argv[0], pentry);
+            
+            int code = -1;
             #ifdef _WIN32
-            snprintf(command, sizeof(command), "\"\"%s\" \"%s\"\"", argv[0], pentry);
+            code = _spawnl(_P_WAIT, argv[0], argv[0], pentry, NULL);
             #else
-            snprintf(command, sizeof(command), "\"%s\" \"%s\"", argv[0], pentry);
+            pid_t pid = fork();
+            if (pid == 0) {
+                execl(argv[0], argv[0], pentry, (char*)NULL);
+                exit(1);
+            } else if (pid > 0) {
+                int status;
+                waitpid(pid, &status, 0);
+                if (WIFEXITED(status)) code = WEXITSTATUS(status);
+            }
             #endif
 
-            printf("[PRM] Executing: %s\n", command);
-            if (!isValidArg(argv[0]) || !isValidArg(pentry)) {
-                fprintf(stderr, "Error: Invalid characters in command arguments.\n");
-                return 1;
-            }
-            int code = system(command);
             if (code != 0) printf("[PRM] Process exited with code %d\n", code);
 
         } else if (strcmp(sub, "build") == 0) {
@@ -405,20 +403,23 @@ static int dispatchPRM(int argc, const char* argv[]) {
                 int releaseMode = (argc >= 3 && strcmp(argv[2], "--release") == 0);
                 printf("[PRM] Building project: %s v%s%s\n", pname, pversion, releaseMode ? " (release)" : "");
                 printf("Compile-only mode not fully supported yet, running instead...\n");
-                char command[1152];
+                printf("[PRM] Executing: %s %s\n", argv[0], pentry);
 
+                int res = -1;
                 #ifdef _WIN32
-                snprintf(command, sizeof(command), "\"\"%s\" \"%s\"\"", argv[0], pentry);
+                res = _spawnl(_P_WAIT, argv[0], argv[0], pentry, NULL);
                 #else
-                snprintf(command, sizeof(command), "\"%s\" \"%s\"", argv[0], pentry);
+                pid_t pid = fork();
+                if (pid == 0) {
+                    execl(argv[0], argv[0], pentry, (char*)NULL);
+                    exit(1);
+                } else if (pid > 0) {
+                    int status;
+                    waitpid(pid, &status, 0);
+                    if (WIFEXITED(status)) res = WEXITSTATUS(status);
+                }
                 #endif
 
-                printf("[PRM] Executing: %s\n", command);
-                if (!isValidArg(argv[0]) || !isValidArg(pentry)) {
-                    fprintf(stderr, "Error: Invalid characters in command arguments.\n");
-                    return 1;
-                }
-                int res = system(command);
                 (void)res;
             }
 

src/prm/builder.c

@@ -6,6 +6,13 @@
 #include "scanner.h"
 #include "parser.h"
 
+#ifdef _WIN32
+#include <process.h>
+#else
+#include <unistd.h>
+#include <sys/wait.h>
+#endif
+
 // Helper to read file content for parsing
 static char* read_file_prm(const char* path) {
     FILE* file = fopen(path, "rb");
@@ -47,8 +54,22 @@ static void invoke_compiler(const char* file, bool run) {
         return;
     }
 
-    printf("[PRM] Executing: %s\n", command);
-    int code = system(command);
+    printf("[PRM] Executing: %s \"%s\"\n", exe, file);
+    
+    int code = -1;
+    #ifdef _WIN32
+    code = _spawnlp(_P_WAIT, exe, exe, file, NULL);
+    #else
+    pid_t pid = fork();
+    if (pid == 0) {
+        execlp(exe, exe, file, (char*)NULL);
+        exit(1);
+    } else if (pid > 0) {
+        int status;
+        waitpid(pid, &status, 0);
+        if (WIFEXITED(status)) code = WEXITSTATUS(status);
+    }
+    #endif
 
     if (code != 0) {
         printf("[PRM] Process exited with code %d\n", code);

src/prm/commands/cmd_core.c

@@ -3,6 +3,15 @@
 #include <string.h>
 #include "../prm.h"
 
+#ifdef _WIN32
+#include <process.h>
+#include <direct.h>
+#else
+#include <unistd.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#endif
+
 // --- Core ---
 static int isValidPrmArg(const char* arg) {
     if (!arg) return 0;
@@ -119,9 +128,9 @@ void prm_install(const char* packageName) {
 
         // Ensure prox_modules directory exists
         #ifdef _WIN32
-            system("if not exist prox_modules mkdir prox_modules");
+            _mkdir("prox_modules");
         #else
-            system("mkdir -p prox_modules");
+            mkdir("prox_modules", 0777);
         #endif
 
         // Determine target folder name from package name
@@ -142,27 +151,40 @@ void prm_install(const char* packageName) {
             targetPath[len - 4] = '\0';
         }
 
-        // Construct git clone command
-        char command[512];
+        char packageUrl[512];
 
         if (strstr(packageName, "://")) {
              // Full URL
              if (!isValidPrmArg(packageName)) {
                  fprintf(stderr, "Error: Invalid characters in package URL.\n");
                  return;
              }
-             snprintf(command, sizeof(command), "git clone %s %s", packageName, targetPath);
+             snprintf(packageUrl, sizeof(packageUrl), "%s", packageName);
         } else {
              // "User/Repo" format -> GitHub
              if (!isValidPrmArg(packageName)) {
                  fprintf(stderr, "Error: Invalid characters in package name.\n");
                  return;
              }
-             snprintf(command, sizeof(command), "git clone https://github.com/%s.git %s", packageName, targetPath);
+             snprintf(packageUrl, sizeof(packageUrl), "https://github.com/%s.git", packageName);
         }
 
-        printf("Running: %s\n", command);
-        int result = system(command);
+        printf("Running: git clone %s %s\n", packageUrl, targetPath);
+        int result = -1;
+        
+        #ifdef _WIN32
+        result = _spawnlp(_P_WAIT, "git", "git", "clone", packageUrl, targetPath, NULL);
+        #else
+        pid_t pid = fork();
+        if (pid == 0) {
+            execlp("git", "git", "clone", packageUrl, targetPath, (char*)NULL);
+            exit(1);
+        } else if (pid > 0) {
+            int status;
+            waitpid(pid, &status, 0);
+            if (WIFEXITED(status)) result = WEXITSTATUS(status);
+        }
+        #endif
 
         if (result == 0) {
             printf("Successfully installed %s to %s.\n", packageName, targetPath);