fix: codeQL issue

lib/index.js

@@ -116,8 +116,10 @@ const spawnWithShell = (cmd, args, opts, extra) => {
     options.windowsVerbatimArguments = true
   } else if (opts.isWSL) {
     //  handling for WSL
-    script = `${cmd} ${args.join(' ')}`
-    realArgs = ['-Command', script]
+    realArgs = ['-COmmand', 'Start-Process']
+    args.forEach(arg => {
+      realArgs.push(escapeWindowsArg(arg))
+    })
   } else {
     for (const arg of args) {
       script += ` ${escape.sh(arg)}`
@@ -157,9 +159,9 @@ const open = (_args, opts = {}, extra = {}) => {
       // string immediately after the start command
       if (isWSL) {
         // For WSL, use wslpath to convert the path if necessary
-        command = 'powershell.exe -Command'
+        command = 'powershell.exe'
+        args = args.map(arg => `$(wslpath -w '${escapeWindowsArg(arg)}')`)
         args.unshift('Start-Process')
-        args = args.map(arg => `"$(wslpath -w '${arg}')"`)
       } else {
         command = 'start ""'
       }
@@ -220,4 +222,11 @@ const findInObject = (obj, key) => {
   }
 }
 
+const escapeWindowsArg = (arg) => {
+  if (typeof arg !== 'string') {
+    return arg
+  }
+  return `${arg.replace(/"/g, '""')}"`
+}
+
 module.exports = promiseSpawn