Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

child_process: disallow args in execFile/spawn when shell option is true #57199

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

child_process: disallow args in execFile/spawn when shell option is true #57199

wants to merge 2 commits into from
+30 −34

Conversation

DanielVenable
Copy link
Contributor

This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped while
really they are just concatenated. This makes it easy to introduce bugs
and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with { shell: true }.

Fixes: #57143

@nodejs-github-bot nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Feb 24, 2025
@DanielVenable
child_process: disallow args in execFile/spawn when shell option is true
e903326 
This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped
while really they are just concatenated. This makes it easy to introduce
bugs and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with `{ shell: true }`.

Fixes: nodejs#57143
@DanielVenable DanielVenable force-pushed the child-process-disallow-args-when-shell-option-true branch from 162ab95 to e903326 Compare February 24, 2025 20:22
@codecov Codecov
Copy link

codecov bot commented Feb 24, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.32%. Comparing base (b7beb33) to head (b265434).
Report is 6 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #57199      +/-   ##
==========================================
+ Coverage   90.30%   90.32%   +0.01%     
==========================================
  Files         630      630              
  Lines      184513   184516       +3     
  Branches    36072    36075       +3     
==========================================
+ Hits       166629   166663      +34     
+ Misses      10967    10963       -4     
+ Partials     6917     6890      -27
Files with missing lines Coverage Δ
lib/child_process.js 97.73% <100.00%> (+<0.01%) ⬆️

... and 35 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Disallow args in child_process execFile/spawn when the shell option is true
2 participants
@DanielVenable @nodejs-github-bot