From cc3dfe67250edeab9a2838e8a7762be7a9b3e84d Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sun, 9 Mar 2025 17:27:27 +0100 Subject: [PATCH 1/4] doc: deprecate passing `args` to `spawn` and `execFile` --- doc/api/deprecations.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index c3121f224703fb..fd538098bb5c13 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3843,6 +3843,21 @@ Type: Documentation-only `process.features.tls_alpn`, `process.features.tls_ocsp`, and `process.features.tls_sni` are deprecated, as their values are guaranteed to be identical to that of `process.features.tls`. +### DEP0190: Passing `args` to `node:child_process` `execFile`/`spawn` with `shell` option `true` + + + +Type: Documentation-only + +When an `args` array is passed to [`child_process.execFile`][] or [`child_process.spawn`][] with the option +`{ shell: true }`, the values are not escaped, only space-separated, which can lead to shell injection. + [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3 [RFC 8247 Section 2.4]: https://www.rfc-editor.org/rfc/rfc8247#section-2.4 From 63f2d21de45213fc9b8ffd2be91bac69aa1db34e Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 18 Mar 2025 11:39:46 +0100 Subject: [PATCH 2/4] Update doc/api/deprecations.md Co-authored-by: James M Snell --- doc/api/deprecations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index fd538098bb5c13..00dc35cccca6df 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3849,7 +3849,7 @@ deprecated, as their values are guaranteed to be identical to that of `process.f changes: - version: - REPLACEME - pr-url: https://github.com/nodejs/node/pull/57199 + pr-url: https://github.com/nodejs/node/pull/57389 description: Documentation-only deprecation. --> From f2e2ee74a91a811e079ff66fa33c34977d49ec85 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 18 Mar 2025 11:40:22 +0100 Subject: [PATCH 3/4] Update deprecations.md --- doc/api/deprecations.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 00dc35cccca6df..08f35007a59d06 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3886,6 +3886,8 @@ When an `args` array is passed to [`child_process.execFile`][] or [`child_proces [`asyncResource.runInAsyncScope()`]: async_context.md#asyncresourceruninasyncscopefn-thisarg-args [`buffer.subarray`]: buffer.md#bufsubarraystart-end [`child_process`]: child_process.md +[`child_process.execFile`]: child_process.md#child_processexecfilefile-args-options-callback +[`child_process.spawn`]: child_process.md#child_processspawncommand-args-options [`clearInterval()`]: timers.md#clearintervaltimeout [`clearTimeout()`]: timers.md#cleartimeouttimeout [`console.error()`]: console.md#consoleerrordata-args From 923d3495caf620c242fcdefedec7c98d75eeae20 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Tue, 18 Mar 2025 11:45:29 +0100 Subject: [PATCH 4/4] Update doc/api/deprecations.md --- doc/api/deprecations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md index 08f35007a59d06..61f7471bd80388 100644 --- a/doc/api/deprecations.md +++ b/doc/api/deprecations.md @@ -3885,9 +3885,9 @@ When an `args` array is passed to [`child_process.execFile`][] or [`child_proces [`assert`]: assert.md [`asyncResource.runInAsyncScope()`]: async_context.md#asyncresourceruninasyncscopefn-thisarg-args [`buffer.subarray`]: buffer.md#bufsubarraystart-end -[`child_process`]: child_process.md [`child_process.execFile`]: child_process.md#child_processexecfilefile-args-options-callback [`child_process.spawn`]: child_process.md#child_processspawncommand-args-options +[`child_process`]: child_process.md [`clearInterval()`]: timers.md#clearintervaltimeout [`clearTimeout()`]: timers.md#cleartimeouttimeout [`console.error()`]: console.md#consoleerrordata-args