Skip to content

child_process: validate options.shell and correctly enforce shell invocation in exec/execSync#54623

Closed
Renegade334 wants to merge 3 commits intonodejs:mainfrom
Renegade334:child-process-exec-shell
Closed

child_process: validate options.shell and correctly enforce shell invocation in exec/execSync#54623
Renegade334 wants to merge 3 commits intonodejs:mainfrom
Renegade334:child-process-exec-shell

Conversation

@Renegade334
Copy link
Member

@Renegade334 Renegade334 commented Aug 28, 2024
edited
Loading

The intention of exec and execSync is that a shell is always invoked to run the provided command, as opposed to execFile, which by default executes the target directly and does not invoke a shell. Unlike its counterparts elsewhere in child_process, exec's options.shell is documented as not accepting a boolean, as it's not intended to be possible to disable shell invocation and switch to execFile-like behaviour.

exec's options.shell is currently handled the following way:

  • passed to normalizeExecArgs()
    • if the shell parameter is not a string, it is coerced to boolean true
  • passed to normalizeSpawnArguments()
    • if non-nullish, the parameter is validated as being of type string|boolean
    • if the parameter is truthy at this point, then spawn() runs a shell; if not, it executes the target directly

The intention is clearly to force shell invocation with exec/execSync in all cases, but the current implementation has the following problems:

  • The parameter is not validated at all; instead, if it's not a string, it's silently ignored and coerced to true, which passes downstream validation in normalizeSpawnArguments(). In other words, passing an invalid value to options.shell will never raise a validation error.
  • The logic in the normalize functions combines to yield an edge case, which is when exec/execSync is called with options.shell set to the empty string:
    • the parameter is passed through unchanged by normalizeExecArgs()
    • the parameter passes validation in normalizeSpawnArguments()
    • the parameter is not truthy, so normalizeSpawnArguments() fails to set up the shell
    • the child process is spawned without a shell, with the file target set to the entire command string: 
      child_process.exec('./script some-parameter', { shell: '' })
// should invoke a shell to run "./script" and pass an argument
// instead, attempts to execute a file called "script some-parameter"

This patch makes two simple changes. Firstly, it validates the shell option sent to exec/execSync as a string. Secondly, it coerces all falsy values to boolean true, so will never bypass shell setup. (This makes { shell: '' } equivalent to { shell: undefined }, which matches how it behaves in the other child_process functions.)

@nodejs-github-bot nodejs-github-bot added child_process Issues and PRs related to the child_process subsystem. needs-ci PRs that need a full CI run. labels Aug 28, 2024
avivkeller
avivkeller reviewed Aug 28, 2024
View reviewed changes
@avivkeller
Copy link
Member

avivkeller commented Aug 28, 2024
edited
Loading

CC @nodejs/child_process

@Renegade334 can you shorten the commit message, it's too long to land. Something like child_process: validate that `shell` is a XYZ

@Renegade334 Renegade334 force-pushed the child-process-exec-shell branch from 22673fb to ce02538 Compare August 28, 2024 23:51
@avivkeller avivkeller added the commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. label Aug 28, 2024
@codecov
Copy link

codecov bot commented Aug 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.54%. Comparing base (98d4ebc) to head (79e548e).
Report is 157 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #54623   +/-   ##
=======================================
  Coverage   88.53%   88.54%           
=======================================
  Files         657      657           
  Lines      190741   190746    +5     
  Branches    36607    36605    -2     
=======================================
+ Hits       168881   168899   +18     
+ Misses      15036    15028    -8     
+ Partials     6824     6819    -5
Files with missing lines Coverage Δ
lib/child_process.js 97.74% <100.00%> (+0.01%) ⬆️

... and 41 files with indirect coverage changes

avivkeller
avivkeller reviewed Aug 29, 2024
View reviewed changes
@Renegade334 Renegade334 force-pushed the child-process-exec-shell branch from ce02538 to 2288c07 Compare August 29, 2024 07:14
@jasnell jasnell added the request-ci Add this label to start a Jenkins CI on a PR. label Sep 8, 2024
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Sep 8, 2024
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Sep 8, 2024

CI: https://ci.nodejs.org/job/node-test-pull-request/62171/

@Renegade334 Renegade334 force-pushed the child-process-exec-shell branch from 3cf56e3 to f61299e Compare September 8, 2024 15:07
@jasnell
Copy link
Member

jasnell commented Sep 8, 2024

PR is currently blocked from landing due to unreliable CI. Looks like the OSX runner is jammed up.

@Renegade334
Copy link
Member Author

Renegade334 commented Oct 19, 2024

@jasnell could this go back to request-ci, now that OS X is more stable?

@Renegade334
child_process: validate shell option in normalizeExecArgs()
68e4e69 
- narrow validation type to string (previously de facto not validated)
- ensure empty string is coerced to true
@Renegade334
add test cases for options.shell
1a38681
@Renegade334
fix windows test
79e548e
@Renegade334 Renegade334 force-pushed the child-process-exec-shell branch from f61299e to 79e548e Compare January 2, 2025 14:37
@Renegade334 Renegade334 mentioned this pull request Jan 25, 2025
Closed
@Renegade334 Renegade334 mentioned this pull request May 31, 2025
Closed
@Renegade334 Renegade334 mentioned this pull request Jul 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avivkeller avivkeller avivkeller left review comments

Assignees

No one assigned

Labels

child_process Issues and PRs related to the child_process subsystem. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Renegade334 @avivkeller @nodejs-github-bot @jasnell