[8.15] [CI] Use `execFile` for quick-checks (#191638) (#191963

)

# Backport

This will backport the following commits from `main` to `8.15`:
- [[CI] Use `execFile` for quick-checks
(#191638)](#191638)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Alex
Szabo","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-08-30T08:03:09Z","message":"[CI]
Use `execFile` for quick-checks (#191638)\n\n## Summary\r\nAs per the
suggestion
for\r\nhttps://github.com/elastic/kibana/security/code-scanning/448 -
using a\r\nsafer script
execution","sha":"1805b5cdd11d01c0be1f6a1449c3f92335c2fec9","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Team:Operations","release_note:skip","backport:prev-minor","v8.16.0"],"title":"[CI]
Use `execFile` for
quick-checks","number":191638,"url":"https://github.com/elastic/kibana/pull/191638","mergeCommit":{"message":"[CI]
Use `execFile` for quick-checks (#191638)\n\n## Summary\r\nAs per the
suggestion
for\r\nhttps://github.com/elastic/kibana/security/code-scanning/448 -
using a\r\nsafer script
execution","sha":"1805b5cdd11d01c0be1f6a1449c3f92335c2fec9"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/191638","number":191638,"mergeCommit":{"message":"[CI]
Use `execFile` for quick-checks (#191638)\n\n## Summary\r\nAs per the
suggestion
for\r\nhttps://github.com/elastic/kibana/security/code-scanning/448 -
using a\r\nsafer script
execution","sha":"1805b5cdd11d01c0be1f6a1449c3f92335c2fec9"}}]}]
BACKPORT-->

Co-authored-by: Alex Szabo <[email protected]>

src/dev/run_quick_checks.ts

@@ -6,10 +6,10 @@
  * Side Public License, v 1.
  */
 
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import { availableParallelism } from 'os';
-import { join, isAbsolute } from 'path';
-import { readdirSync, readFileSync } from 'fs';
+import { isAbsolute, join } from 'path';
+import { existsSync, readdirSync, readFileSync } from 'fs';
 
 import { run, RunOptions } from '@kbn/dev-cli-runner';
 import { REPO_ROOT } from '@kbn/repo-info';
@@ -54,7 +54,7 @@ void run(async ({ log, flagsReader }) => {
     targetFile: flagsReader.string('file'),
     targetDir: flagsReader.string('dir'),
     checks: flagsReader.string('checks'),
-  });
+  }).map((script) => (isAbsolute(script) ? script : join(REPO_ROOT, script)));
 
   logger.write(
     `--- Running ${scriptsToRun.length} checks, with parallelism ${MAX_PARALLELISM}...`,
@@ -108,7 +108,7 @@ function collectScriptsToRun(inputOptions: {
   }
 }
 
-async function runAllChecks(scriptsToRun: string[]) {
+async function runAllChecks(scriptsToRun: string[]): Promise<CheckResult[]> {
   const checksRunning: Array<Promise<any>> = [];
   const checksFinished: CheckResult[] = [];
 
@@ -121,10 +121,20 @@ async function runAllChecks(scriptsToRun: string[]) {
 
       const check = runCheckAsync(script);
       checksRunning.push(check);
-      check.then((result) => {
-        checksRunning.splice(checksRunning.indexOf(check), 1);
-        checksFinished.push(result);
-      });
+      check
+        .then((result) => {
+          checksRunning.splice(checksRunning.indexOf(check), 1);
+          checksFinished.push(result);
+        })
+        .catch((error) => {
+          checksRunning.splice(checksRunning.indexOf(check), 1);
+          checksFinished.push({
+            success: false,
+            script,
+            output: error.message,
+            durationMs: 0,
+          });
+        });
     }
 
     await sleep(1000);
@@ -138,9 +148,10 @@ async function runCheckAsync(script: string): Promise<CheckResult> {
   const startTime = Date.now();
 
   return new Promise((resolve) => {
-    const scriptProcess = exec(script);
+    validateScriptPath(script);
+    const scriptProcess = execFile('bash', [script]);
     let output = '';
-    const appendToOutput = (data: string | Buffer) => (output += data);
+    const appendToOutput = (data: string | Buffer) => (output += data.toString());
 
     scriptProcess.stdout?.on('data', appendToOutput);
     scriptProcess.stderr?.on('data', appendToOutput);
@@ -170,9 +181,10 @@ function printResults(startTimestamp: number, results: CheckResult[]) {
   logger.info(`- Total time: ${total}, effective: ${effective}`);
 
   results.forEach((result) => {
-    logger.write(
-      `--- ${result.success ? '✅' : '❌'} ${result.script}: ${humanizeTime(result.durationMs)}`
-    );
+    const resultLabel = result.success ? '✅' : '❌';
+    const scriptPath = stripRoot(result.script);
+    const runtime = humanizeTime(result.durationMs);
+    logger.write(`--- ${resultLabel} ${scriptPath}: ${runtime}`);
     if (result.success) {
       logger.debug(result.output);
     } else {
@@ -194,3 +206,22 @@ function humanizeTime(ms: number) {
     return `${minutes}m ${seconds}s`;
   }
 }
+
+function validateScriptPath(scriptPath: string) {
+  if (!isAbsolute(scriptPath)) {
+    logger.error(`Invalid script path: ${scriptPath}`);
+    throw new Error('Invalid script path');
+  } else if (!scriptPath.endsWith('.sh')) {
+    logger.error(`Invalid script extension: ${scriptPath}`);
+    throw new Error('Invalid script extension');
+  } else if (!existsSync(scriptPath)) {
+    logger.error(`Script not found: ${scriptPath}`);
+    throw new Error('Script not found');
+  } else {
+    return;
+  }
+}
+
+function stripRoot(script: string) {
+  return script.replace(REPO_ROOT, '');
+}