Skip to content

child_process: disallow args in execFile/spawn when shell option is true #57199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Mar 21, 2025
Merged

child_process: disallow args in execFile/spawn when shell option is true #57199

merged 3 commits into from
Mar 21, 2025

Conversation

@DanielVenable
Copy link
Contributor

@DanielVenable DanielVenable commented Feb 24, 2025

This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped while
really they are just concatenated. This makes it easy to introduce bugs
and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with { shell: true }.

Fixes: #57143

@nodejs-github-bot nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Feb 24, 2025
@DanielVenable DanielVenable force-pushed the child-process-disallow-args-when-shell-option-true branch from 162ab95 to e903326 Compare February 24, 2025 20:22
@codecov
Copy link

codecov bot commented Feb 24, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.22%. Comparing base (922ce9d) to head (180b40a).
Report is 25 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #57199      +/-   ##
==========================================
- Coverage   90.23%   90.22%   -0.02%     
==========================================
  Files         629      629              
  Lines      184939   184948       +9     
  Branches    36232    36233       +1     
==========================================
- Hits       166885   166870      -15     
- Misses      11011    11023      +12     
- Partials     7043     7055      +12
Files with missing lines Coverage Δ
lib/child_process.js 97.74% <100.00%> (+0.01%) ⬆️

... and 44 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@RafaelGSS RafaelGSS added the semver-major PRs that contain breaking changes and should be released in the next major version. label Feb 25, 2025
RafaelGSS
RafaelGSS reviewed Feb 25, 2025
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a semver-major change as it will break people current using the args approach (even being ignored).

I'm not sure if we want to change the API in those situations. I think adding a process.emitWarning could be safer approach in this situation (also semver-major)

aduh95
aduh95 reviewed Feb 26, 2025
View reviewed changes
Copy link
Contributor

@aduh95 aduh95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add an entry in deprecation.md since we're effectively deprecating it

@RafaelGSS RafaelGSS added deprecations Issues and PRs related to deprecations. request-ci Add this label to start a Jenkins CI on a PR. labels Feb 27, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 27, 2025
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Feb 27, 2025

CI: https://ci.nodejs.org/job/node-test-pull-request/65461/

aduh95
aduh95 reviewed Feb 27, 2025
View reviewed changes
aduh95
aduh95 reviewed Feb 27, 2025
View reviewed changes
aduh95
aduh95 reviewed Feb 27, 2025
View reviewed changes
@mohd-akram
Copy link
Contributor

mohd-akram commented Mar 9, 2025

Thank you @DanielVenable for creating this PR. What's the update on this? It would be good to get this into Node.js 24 as the freeze is in a couple of weeks.

@aduh95 aduh95 mentioned this pull request Mar 9, 2025
Merged
aduh95 added a commit that referenced this pull request Mar 19, 2025
@aduh95
doc: deprecate passing args to spawn and execFile
109c817 
PR-URL: #57389
Refs: #57199
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Jason Zhang <[email protected]>
Reviewed-By: Ulises Gascón <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
DanielVenable and others added 2 commits March 19, 2025 11:07
@DanielVenable @aduh95
child_process: deprecate passing args to spawn and execFile
281d896 
Accepting `args` gives the false impression that the args are escaped
while really they are just concatenated. This makes it easy to introduce
bugs and security vulnerabilities.
@aduh95
fixup! child_process: deprecate passing args to spawn and execFile
7a04435
@aduh95 aduh95 force-pushed the child-process-disallow-args-when-shell-option-true branch from c885d04 to 7a04435 Compare March 19, 2025 10:23
@aduh95
Copy link
Contributor

aduh95 commented Mar 19, 2025

@DanielVenable I've rebased to fix the git conflicts. I've also pushed 7a04435 to fix the implementation, PTAL.

@aduh95
Copy link
Contributor

aduh95 commented Mar 19, 2025

/cc @nodejs/tsc since this is semver-major

@DanielVenable
Copy link
Contributor Author

DanielVenable commented Mar 19, 2025

@aduh95 LGTM

aduh95
aduh95 reviewed Mar 20, 2025
View reviewed changes
@aduh95 aduh95 mentioned this pull request Mar 21, 2025
Merged
@aduh95 aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Mar 21, 2025
@ericcornelissen ericcornelissen mentioned this pull request May 6, 2025
Closed
@fisker fisker mentioned this pull request May 7, 2025
Closed
@Tosin-JD Tosin-JD mentioned this pull request May 7, 2025
Merged
@jdalton jdalton mentioned this pull request May 13, 2025
Closed
1 task
@mrgrain mrgrain mentioned this pull request Jun 20, 2025
Open
@RafaelGSS RafaelGSS mentioned this pull request Jul 22, 2025
Closed
2 tasks
@hyrious hyrious mentioned this pull request Jul 25, 2025
Open
@bjohansebas bjohansebas mentioned this pull request Jul 30, 2025
Merged
@yCodeTech yCodeTech mentioned this pull request Oct 1, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aduh95 aduh95 aduh95 approved these changes

@RafaelGSS RafaelGSS RafaelGSS left review comments

@mcollina mcollina mcollina approved these changes

@jasnell jasnell jasnell approved these changes

@anonrig anonrig anonrig approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. child_process Issues and PRs related to the child_process subsystem. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. deprecations Issues and PRs related to deprecations. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Disallow args in child_process execFile/spawn when the shell option is true

8 participants

@DanielVenable @nodejs-github-bot @mohd-akram @aduh95 @mcollina @jasnell @anonrig @RafaelGSS