FIX: use array form of sh and File.open to avoid shell injection in Fastfile

Co-authored-by: marcosrdz <4793122+marcosrdz@users.noreply.github.com>
2026-02-22 18:56:30 +00:00 · 2026-02-22 18:56:30 +00:00 · 0ae944abbc
commit 0ae944abbc
parent 0cf466910f
1 changed files with 5 additions and 3 deletions
--- a/fastlane/Fastfile
+++ b/fastlane/Fastfile
@ -664,7 +664,7 @@ platform :ios do
      UI.message("Added multilingual README with first-launch instructions to DMG")

      FileUtils.rm_f(dmg_path)
-      sh("hdiutil create -volname 'BlueWallet' -srcfolder '#{dmg_staging}' -ov -format UDZO '#{dmg_path}'")
+      sh("hdiutil", "create", "-volname", "BlueWallet", "-srcfolder", dmg_staging, "-ov", "-format", "UDZO", dmg_path)
      UI.user_error!("DMG was not created at #{dmg_path}") unless File.exist?(dmg_path)
      UI.success("DMG created at: #{dmg_path}")

@ -673,8 +673,10 @@ platform :ios do
      ENV['CATALYST_APP_PATH'] = catalyst_app_path
      ENV['CATALYST_DMG_PATH'] = dmg_path
      if ENV['GITHUB_OUTPUT']
-        sh("echo 'catalyst_app_path=#{catalyst_app_path}' >> $GITHUB_OUTPUT")
-        sh("echo 'catalyst_dmg_path=#{dmg_path}' >> $GITHUB_OUTPUT")
+        File.open(ENV['GITHUB_OUTPUT'], 'a') do |f|
+          f.puts "catalyst_app_path=#{catalyst_app_path}"
+          f.puts "catalyst_dmg_path=#{dmg_path}"
+        end
      end

      UI.success("macOS app built at: #{catalyst_app_path}")