azure-sdk-for-js icon indicating copy to clipboard operation
azure-sdk-for-js copied to clipboard

[dev-tool] more secure fix for spawning process

Open jeremymeng opened this issue 1 year ago • 0 comments

Currently when we run vendored commands, for windows we set shell: true. This is subject to injection attacks https://github.com/Azure/azure-sdk-for-js/pull/29414#issuecomment-2075603910

This work item tracks a more robust fix. We could port rush's utility at https://github.com/microsoft/rushstack/blob/5d9c506caec86b1d2b979703c893b67481451bb5/libraries/node-core-library/src/Executable.ts#L674

jeremymeng avatar Oct 23 '24 20:10 jeremymeng