Files
nexu-io-open-design/tools/dev/tests/run-logged-command.test.ts
OrbisAI Security 1943131ced fix: multiple subprocess calls accept user-controlle... in index.ts (#4754)
* fix: V-001 security vulnerability

Automated security fix generated by OrbisAI Security

* fix: multiple subprocess calls accept user-controlle... in index.ts

Multiple subprocess calls accept user-controlled arguments without proper validation or sanitization, allowing attackers to inject shell metacharacters and execute arbitrary commands on the host system

* Apply code changes: Hey @orbisai0security — @PerishCode's blocking rev...
2026-06-26 13:56:50 +00:00

30 lines
1.1 KiB
TypeScript

import assert from "node:assert/strict";
import { readFile } from "node:fs/promises";
import path from "node:path";
import { describe, it } from "node:test";
import { fileURLToPath } from "node:url";
const toolsDevRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
describe("runLoggedCommand security: shell injection prevention (V-001)", () => {
it("spawn is invoked with shell: false to prevent user-controlled argument injection", async () => {
const src = await readFile(path.join(toolsDevRoot, "src/index.ts"), "utf8");
// Security invariant: runLoggedCommand must pass shell: false to spawn.
// Without this, shell metacharacters in user-controlled args (command or
// args[]) are interpreted by /bin/sh, enabling arbitrary command execution.
assert.match(
src,
/shell:\s*false/,
"spawn() in runLoggedCommand must explicitly set shell: false",
);
// Guard against regressions that re-introduce shell: true anywhere in this file.
assert.doesNotMatch(
src,
/shell:\s*true/,
"No spawn() call in index.ts should set shell: true",
);
});
});