Skip to content

Fix client update shell command built from environment values #1348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

odaysec
Copy link

@odaysec odaysec commented Jul 2, 2025

const childProcess = spawn("cmd", ["/c", vsCpdeCommandFile, "--install-extension", `${baseExtensionInstallPath}/${latestUpdatePath}/${file}`]);

Dynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.

fix the update.ts the shell command should be constructed in a way that avoids interpretation by the shell. Instead of interpolating the potentially tainted latestUpdatePath directly into the command string, the spawn function should use its argument array to pass the dynamic values separately. This ensures that special characters in filenames are treated as literal values rather than being interpreted by the shell.

  1. Using spawn or execFile with arguments passed separately instead of interpolating them into the command string.
  2. Validating or sanitizing the latestUpdatePath and file variables to ensure they do not contain unexpected or malicious input.

@smera
Copy link
Member

smera commented Jul 7, 2025

Hello @odaysec,
Thanks for your interest in BuildXL! Unfortunately, per our contributing guide, we ask that contributions are limited to substantial changes as opposed to cleanups/minor fixes.

Thanks,
Serge.

@smera smera added the wontfix This will not be worked on label Jul 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
wontfix This will not be worked on
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants