Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

child_process: disallow args in execFile/spawn when shell option is true #57199

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

DanielVenable
Copy link
Contributor

This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped while
really they are just concatenated. This makes it easy to introduce bugs
and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with { shell: true }.

Fixes: #57143

@nodejs-github-bot nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Feb 24, 2025
This will make it throw an error when args are passed to execFile or
spawn when the shell option is true. The reason for this is that when it
accepts args, it gives the false impression that the args are escaped
while really they are just concatenated. This makes it easy to introduce
bugs and security vulnerabilities.

This will break any code that relies on passing args to execFile or
spawn with `{ shell: true }`.

Fixes: nodejs#57143
@DanielVenable DanielVenable force-pushed the child-process-disallow-args-when-shell-option-true branch from 162ab95 to e903326 Compare February 24, 2025 20:22
Copy link

codecov bot commented Feb 24, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.23%. Comparing base (b7beb33) to head (20daad9).
Report is 37 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #57199      +/-   ##
==========================================
- Coverage   90.30%   90.23%   -0.07%     
==========================================
  Files         630      630              
  Lines      184513   184928     +415     
  Branches    36072    36188     +116     
==========================================
+ Hits       166629   166875     +246     
- Misses      10967    11063      +96     
- Partials     6917     6990      +73     
Files with missing lines Coverage Δ
lib/child_process.js 97.74% <100.00%> (+0.01%) ⬆️

... and 50 files with indirect coverage changes

@RafaelGSS RafaelGSS added the semver-major PRs that contain breaking changes and should be released in the next major version. label Feb 25, 2025
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a semver-major change as it will break people current using the args approach (even being ignored).

I'm not sure if we want to change the API in those situations. I think adding a process.emitWarning could be safer approach in this situation (also semver-major)

Copy link
Contributor

@aduh95 aduh95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add an entry in deprecation.md since we're effectively deprecating it

@RafaelGSS RafaelGSS added deprecations Issues and PRs related to deprecations. request-ci Add this label to start a Jenkins CI on a PR. labels Feb 27, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 27, 2025
@nodejs-github-bot
Copy link
Collaborator

@@ -3840,6 +3840,20 @@ Type: Documentation-only
`process.features.tls_alpn`, `process.features.tls_ocsp`, and `process.features.tls_sni` are
deprecated, as their values are guaranteed to be identical to that of `process.features.tls`.

### DEP0190: Passing args to child\_process `execFile`/`spawn` with shell option true
Copy link
Contributor

@aduh95 aduh95 Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you open a separate PR to land a doc-only deprecation first, which can be backported to existing release lines please?

Suggested change
### DEP0190: Passing args to child\_process `execFile`/`spawn` with shell option true
### DEP0190: Passing `args` to `child_process` `execFile`/`spawn` with `shell` option `true`

@mohd-akram
Copy link
Contributor

Thank you @DanielVenable for creating this PR. What's the update on this? It would be good to get this into Node.js 24 as the freeze is in a couple of weeks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
child_process Issues and PRs related to the child_process subsystem. deprecations Issues and PRs related to deprecations. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Disallow args in child_process execFile/spawn when the shell option is true
5 participants