New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): don't allow arbitrary code execution when manipulating cache #9329
fix(core): don't allow arbitrary code execution when manipulating cache #9329
Conversation
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/nrwl/nx-dev/J4Mobp9MTRHPaqz8xK9m74pwpjCJ [Deployment for 25b9f27 canceled] |
The Node documentation for `exec` states: > Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution. The `folder` variable comes directly from the `NX_CACHE_DIRECTORY` environment variable (or from `nx.json`). Careful crafting of this variable can result in NX executing arbitrary commands. This patch fixes this by using `execFile`, which does not spawn a shell.
4ab065c
to
25b9f27
Compare
Thank you for your contribution! LGTM 🎉 |
…he (#9329) The Node documentation for `exec` states: > Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution. The `folder` variable comes directly from the `NX_CACHE_DIRECTORY` environment variable (or from `nx.json`). Careful crafting of this variable can result in NX executing arbitrary commands. This patch fixes this by using `execFile`, which does not spawn a shell.
This pull request has already been merged/closed. If you experience issues related to these changes, please open a new issue referencing this pull request. |
Current Behavior
A carefully crafted
NX_CACHE_DIRECTORY
(environment variable) can make NX execute arbitrary commands. The same holds true for thecacheDirectory
field innx.json
.Expected Behavior
NX should not execute arbitrary code embedded in the
NX_CACHE_DIRECTORY
environment variable.Fix
The Node documentation for
exec
states:The
folder
variable comes directly from theNX_CACHE_DIRECTORY
environment variable (or fromnx.json
). Careful crafting of this variable can result in NX executing arbitrary commands.This patch fixes this by using
execFile
, which does not spawn a shell.