From c6166d2fef8f41c85ed7a09adee5e8fe6facbc4e Mon Sep 17 00:00:00 2001
From: "Victor V. Rubezhny" <vrubezhny@redhat.com>
Date: Tue, 10 Dec 2024 16:33:46 +0100
Subject: [PATCH] Fix code scanning alert no. 13: Shell command built from
 environment values

Fixes: https://github.com/redhat-developer/vscode-openshift-tools/security/code-scanning/13

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 build/install-vscode.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/build/install-vscode.ts b/build/install-vscode.ts
index 82f8dfcb6..6a7ffff9c 100644
--- a/build/install-vscode.ts
+++ b/build/install-vscode.ts
@@ -37,7 +37,9 @@ void testElectron.downloadAndUnzipVSCode().then((executable: string) => {
         const extDir = path.join(vsCodeTest, 'extensions');
         for (const extension of extensionsToInstall) {
             console.log('Installing extension: ', extension );
-            cp.execSync(`${vsCodeExecutable} --install-extension ${extension} --user-data-dir ${userDataDir} --extensions-dir ${extDir}`);
+            cp.execFileSync(vsCodeExecutable,
+                ['--install-extension', extension, '--user-data-dir', userDataDir, '--extensions-dir', extDir],
+                { shell: true });
         }
     } else {
         console.log('No extension dependencies found in "package.json"');