fix(core): don't allow arbitrary code execution when manipulating cac…

…he (#9329) The Node documentation for `exec` states: > Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution. The `folder` variable comes directly from the `NX_CACHE_DIRECTORY` environment variable (or from `nx.json`). Careful crafting of this variable can result in NX executing arbitrary commands. This patch fixes this by using `execFile`, which does not spawn a shell.
nrwl · Mar 18, 2022 · 75f9ece · 75f9ece
1 parent f5dfb83
commit 75f9ece
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/packages/workspace/src/tasks-runner/cache.ts b/packages/workspace/src/tasks-runner/cache.ts
@@ -14,7 +14,7 @@ import {
 } from 'fs-extra';
 import { dirname, join, resolve, sep } from 'path';
 import { DefaultTasksRunnerOptions } from './default-tasks-runner';
-import { spawn, exec } from 'child_process';
+import { spawn, execFile } from 'child_process';
 import { cacheDir } from '../utilities/cache-directory';
 import { platform } from 'os';
 
@@ -190,7 +190,7 @@ export class Cache {
     }
 
     return new Promise((res, rej) => {
-      exec(`cp -a "${src}" "${dirname(directory)}"`, (error) => {
+      execFile('cp', ['-a', src, dirname(directory)], (error) => {
         if (!error) {
           res();
         } else {
@@ -207,7 +207,7 @@ export class Cache {
     }
 
     return new Promise<void>((res, rej) => {
-      exec(`rm -rf "${folder}"`, (error) => {
+      execFile('rm', ['-rf', folder], (error) => {
         if (!error) {
           res();
         } else {