From 5d471799e670f28467c678a2a11bf37f365cb60c Mon Sep 17 00:00:00 2001
From: Austin Pray <71290498+austinpray-mixpanel@users.noreply.github.com>
Date: Wed, 18 Sep 2024 09:47:56 -0500
Subject: [PATCH] Fix code scanning alert #8: Shell command built from
 environment values

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 openapi/publish.js | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/openapi/publish.js b/openapi/publish.js
index bc5c611d9a..675d09c7cc 100644
--- a/openapi/publish.js
+++ b/openapi/publish.js
@@ -4,7 +4,7 @@ const process = require("node:process");
 const util = require("node:util");
 const YAML = require("yaml");
 
-const exec = util.promisify(require("node:child_process").exec);
+const execFile = util.promisify(require("node:child_process").execFile);
 
 const README_API_KEY = process.env.README_API_KEY;
 if (!README_API_KEY) {
@@ -17,9 +17,9 @@ if (!README_VERSION) {
   process.exit(1);
 }
 
-async function execAndLog(cmd) {
+async function execAndLog(cmd, args) {
   try {
-    const { stdout, stderr } = await exec(cmd);
+    const { stdout, stderr } = await execFile(cmd, args);
     console.error(stderr);
     console.log(stdout);
   } catch (err) {
@@ -63,9 +63,9 @@ async function updateSpecs() {
 
     // validate and publish spec
     console.log(`Updating ${spec.info.title} (${specFile}, ID ${specId})`);
-    await execAndLog(`npx rdme openapi:validate ${fullPath}`);
+    await execAndLog('npx', ['rdme', 'openapi:validate', fullPath]);
     await execAndLog(
-      `npx rdme openapi ${fullPath} --id=${specId} --key=${README_API_KEY}`
+      'npx', ['rdme', 'openapi', fullPath, `--id=${specId}`, `--key=${README_API_KEY}`]
     );
   }
 }