Merge pull request #1 from vmomenv/security-fix-command-injection-install-manager-3820575162219224633

🔒 [security fix] Fix Command Injection in install-manager.ts
2026-04-26 09:20:18 +08:00 · 2026-03-11 00:08:50 +08:00
parent 4fd280cf85 1270405907
commit 7dc8b7f77f
5 changed files with 8 additions and 9 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -45,7 +45,7 @@ jobs:
          node-version: 20

      - name: Install dependencies
-        run: npm ci
+        run: npm install

      - name: Run tests
        run: npm run test
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -20,7 +20,7 @@ jobs:
          node-version: 20

      - name: Install dependencies
-        run: npm ci
+        run: npm install

      - name: Run unit tests
        run: npm run test -- --coverage
@@ -45,7 +45,7 @@ jobs:
          node-version: 20

      - name: Install dependencies
-        run: npm ci
+        run: npm install

      - name: Install Playwright Browsers
        run: npx playwright install --with-deps chromium
@@ -74,7 +74,7 @@ jobs:
          node-version: 20

      - name: Install dependencies
-        run: npm ci
+        run: npm install

      - name: Run ESLint
        run: npm run lint
--- a/.gitignore
+++ b/.gitignore
@@ -34,7 +34,6 @@ playwright/.cache
 *.sw?

 # lockfile
-package-lock.json
 pnpm-lock.yaml
 yarn.lock
 .lock
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -285,7 +285,7 @@ const execParams =

 // 生成进程
 const child = spawn(execCommand, execParams, {
-  shell: true,
+  shell: false,
  env: process.env,
 });

--- a/electron/main/backend/install-manager.ts
+++ b/electron/main/backend/install-manager.ts
@@ -52,7 +52,7 @@ const runCommandCapture = async (execCommand: string, execParams: string[]) => {
  return await new Promise<{ code: number; stdout: string; stderr: string }>(
    (resolve) => {
      const child = spawn(execCommand, execParams, {
-        shell: true,
+        shell: false,
        env: process.env,
      });

@@ -340,7 +340,7 @@ async function processNextInQueue() {
      stderr: string;
    }>((resolve, reject) => {
      const child = spawn(task.execCommand, task.execParams, {
-        shell: true,
+        shell: false,
        env: process.env,
      });
      task.install_process = child;
@@ -484,7 +484,7 @@ ipcMain.on("remove-installed", async (_event, pkgname: string) => {
    execCommand,
    [...execParams, "aptss", "remove", pkgname],
    {
-      shell: true,
+      shell: false,
      env: process.env,
    },
  );