spark-store-project/spark-store
15
0
Fork 0
mirror of https://gitee.com/spark-store-project/spark-store synced 2026-04-26 01:10:16 +08:00
Code Issues 1 Packages Projects Releases Wiki Activity

🔒 fix: Command Injection vulnerability in install-manager.ts

Browse Source 
- Changed `shell: true` to `shell: false` in `spawn` calls within `electron/main/backend/install-manager.ts`.
- Updated `AGENTS.md` documentation to reflect the security best practice.
- Verified that the fix prevents command injection using a reproduction script.

Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
This commit is contained in:
google-labs-jules[bot]
2026-03-10 15:53:44 +00:00
parent 4fd280cf85
commit 828ffd86e8
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
electron/main/backend/install-manager.ts
View File

@@ -52,7 +52,7 @@ const runCommandCapture = async (execCommand: string, execParams: string[]) => {
return await new Promise<{ code: number; stdout: string; stderr: string }>(
(resolve) => {
const child = spawn(execCommand, execParams, {
shell: true,
shell: false,
env: process.env,
});
@@ -340,7 +340,7 @@ async function processNextInQueue() {
stderr: string;
}>((resolve, reject) => {
const child = spawn(task.execCommand, task.execParams, {
shell: true,
shell: false,
env: process.env,
});
task.install_process = child;
@@ -484,7 +484,7 @@ ipcMain.on("remove-installed", async (_event, pkgname: string) => {
execCommand,
[...execParams, "aptss", "remove", pkgname],
{
shell: true,
shell: false,
env: process.env,
},
);