Fix Shell command built from environment values

[kreeksec]

nest/tools/gulp/tasks/samples.ts

Lines 81 to 86 in b6d4188

	const result = await exec(
	`${script} --prefix ${dir} ${appendScript ? '-- ' + appendScript : ''}`,
	);
	// const result = await exec(`npx npm-check-updates -u`, {
	// cwd: join(process.cwd(), dir),
	// });

Dynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.

Fix the problem, we should avoid constructing a shell command string that includes untrusted or unsanitized values. Instead, we should use childProcess.execFile (or its promisified version) to run the command with arguments provided as an array, which avoids shell interpretation and the associated risks.

Detailed steps:

• Replace the use of exec (which runs a shell command string) with execFile (which runs a command with arguments, without a shell).
• Parse the script and appendScript parameters into an array of arguments.
• Call execFile with the command and argument array.
• Promisify execFile as needed.
• Update the import to include execFile from child_process.
• Update the code in executeNPMScriptInDirectory to use the new approach.

Required changes:

• In tools/gulp/tasks/samples.ts:
  • Import execFile from child_process.
  • Promisify execFile.
  • Update executeNPMScriptInDirectory to use execFile instead of exec, and to build the argument array safely.
  • Parse the script string into command and arguments (e.g., 'npm install --legacy-peer-deps' → ['npm', 'install', '--legacy-peer-deps']).
  • Add --prefix and dir as arguments.
  • If appendScript is provided, split it into arguments and append.

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our guidelines: https://github.com/nestjs/nest/blob/master/CONTRIBUTING.md
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Other... Please describe:

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

• Yes
• No

Other information

[coveralls]

Pull Request Test Coverage Report for Build f08d1337-8dfe-4e46-b87f-a90bc886e552

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 88.913%

---

Totals
Change from base Build 04bed9d7-7757-4e1f-8cbc-515c382bbbb3:	0.0%
Covered Lines:	7282
Relevant Lines:	8190

---

💛 - Coveralls