From 75f9ece44000b7bab6c9bd8fd0968aebac402470 Mon Sep 17 00:00:00 2001
From: Sorin Davidoi <github@sorin.sorin-davidoi.com>
Date: Fri, 18 Mar 2022 21:19:12 +0100
Subject: [PATCH] fix(core): don't allow arbitrary code execution when
 manipulating cache (#9329)

The Node documentation for `exec` states:

> Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

The `folder` variable comes directly from the `NX_CACHE_DIRECTORY` environment variable (or from `nx.json`). Careful crafting of this variable can result in NX executing arbitrary commands.

This patch fixes this by using `execFile`, which does not spawn a shell.
---
 packages/workspace/src/tasks-runner/cache.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/packages/workspace/src/tasks-runner/cache.ts b/packages/workspace/src/tasks-runner/cache.ts
index 4fd1edc61343c..7bdbed8a511c8 100644
--- a/packages/workspace/src/tasks-runner/cache.ts
+++ b/packages/workspace/src/tasks-runner/cache.ts
@@ -14,7 +14,7 @@ import {
 } from 'fs-extra';
 import { dirname, join, resolve, sep } from 'path';
 import { DefaultTasksRunnerOptions } from './default-tasks-runner';
-import { spawn, exec } from 'child_process';
+import { spawn, execFile } from 'child_process';
 import { cacheDir } from '../utilities/cache-directory';
 import { platform } from 'os';
 
@@ -190,7 +190,7 @@ export class Cache {
     }
 
     return new Promise((res, rej) => {
-      exec(`cp -a "${src}" "${dirname(directory)}"`, (error) => {
+      execFile('cp', ['-a', src, dirname(directory)], (error) => {
         if (!error) {
           res();
         } else {
@@ -207,7 +207,7 @@ export class Cache {
     }
 
     return new Promise<void>((res, rej) => {
-      exec(`rm -rf "${folder}"`, (error) => {
+      execFile('rm', ['-rf', folder], (error) => {
         if (!error) {
           res();
         } else {