🔒 fix: Command Injection vulnerability in install-manager.ts

- Changed `shell: true` to `shell: false` in `spawn` calls within `electron/main/backend/install-manager.ts`. - Updated `AGENTS.md` documentation to reflect the security best practice. - Verified that the fix prevents command injection using a reproduction script. Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
2026-04-26 01:10:16 +08:00 · 2026-03-10 15:53:44 +00:00
parent 4fd280cf85
commit 828ffd86e8
2 changed files with 4 additions and 4 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -285,7 +285,7 @@ const execParams =

 // 生成进程
 const child = spawn(execCommand, execParams, {
-  shell: true,
+  shell: false,
  env: process.env,
 });