Title: Disallow args in child_process execFile/spawn when the shell option is true · Issue #57143 · nodejs/node · GitHub
Open Graph Title: Disallow args in child_process execFile/spawn when the shell option is true · Issue #57143 · nodejs/node
X Title: Disallow args in child_process execFile/spawn when the shell option is true · Issue #57143 · nodejs/node
Description: The execFile and spawn functions allow passing the shell option to run a command using a shell. Despite the fact that setting this option to true means that arguments are no longer properly preserved, these functions continue to accept a...
Open Graph Description: The execFile and spawn functions allow passing the shell option to run a command using a shell. Despite the fact that setting this option to true means that arguments are no longer properly preserv...
X Description: The execFile and spawn functions allow passing the shell option to run a command using a shell. Despite the fact that setting this option to true means that arguments are no longer properly preserv...
Opengraph URL: https://github.com/nodejs/node/issues/57143
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Disallow args in child_process execFile/spawn when the shell option is true","articleBody":"The `execFile` and `spawn` functions allow passing the shell option to run a command using a shell. Despite the fact that setting this option to true means that arguments are no longer properly preserved, these functions continue to accept an array of arguments, giving the false impression that there is some isolation/escaping when behind the scenes the arguments are just [concatenated](https://github.com/nodejs/node/blob/f6ce48636b08292baac4fd443399ab9972e1a69b/lib/child_process.js#L614). This can make it trivial to introduce bugs and security issues, and the behavior is also not aligned with `exec` which only accepts a single command string that is passed to the shell. To make this point clearer, invocations like this are currently accepted, which shouldn't be the case:\n\n```javascript\nexecFileSync('echo \"hello', ['world\"'], { shell: true }).toString()\n```","author":{"url":"https://github.com/mohd-akram","@type":"Person","name":"mohd-akram"},"datePublished":"2025-02-20T07:45:05.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":7},"url":"https://github.com/57143/node/issues/57143"}| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:1b7ee908-900e-dc3f-8a4d-6c8ad3e11dc9 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | A3D8:1117C6:46A1DEC:5D12E18:6992F4A5 |
| html-safe-nonce | 86a81a1722e10075f38bb8c542f08bb222f25b18b263637c909d0ef130022302 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBM0Q4OjExMTdDNjo0NkExREVDOjVEMTJFMTg6Njk5MkY0QTUiLCJ2aXNpdG9yX2lkIjoiNTYwNDU3OTY3NjE3MTQ2NTg5MyIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 7b1140a3f98cce10b641f7fd6a838eddb4dc17c37fef62fec56e34180aad7690 |
| hovercard-subject-tag | issue:2865342609 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/nodejs/node/57143/issue_layout |
| twitter:image | https://opengraph.githubassets.com/95e24f2fe6b1e0624b500a1b09a6f1845ee8f2b295ed5dadef3bc3bb00d2e77a/nodejs/node/issues/57143 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/95e24f2fe6b1e0624b500a1b09a6f1845ee8f2b295ed5dadef3bc3bb00d2e77a/nodejs/node/issues/57143 |
| og:image:alt | The execFile and spawn functions allow passing the shell option to run a command using a shell. Despite the fact that setting this option to true means that arguments are no longer properly preserv... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | mohd-akram |
| hostname | github.com |
| expected-hostname | github.com |
| None | 348cc0594c4976eb4050dc9547ecf65057ee89a2b7ed0652b983b9b539f57145 |
| turbo-cache-control | no-preview |
| go-import | github.com/nodejs/node git https://github.com/nodejs/node.git |
| octolytics-dimension-user_id | 9950313 |
| octolytics-dimension-user_login | nodejs |
| octolytics-dimension-repository_id | 27193779 |
| octolytics-dimension-repository_nwo | nodejs/node |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 27193779 |
| octolytics-dimension-repository_network_root_nwo | nodejs/node |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | ce72317238c729e85014e1d867fd30d09b7f94ba |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width