nest-cli icon indicating copy to clipboard operation
nest-cli copied to clipboard

Published 20 hours ago ā€¢ verified publisher icon nestjs

Passing args to `node:child_process` or `execFile/spawn` with shell option true is deprecated

Open onurravli opened this issue 5 months ago ā€¢ 1 comments
trafficstars

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current behavior

In actions/start.action.ts and some of other files, we are calling node:child_process.spawn with { shell: true } option. And this can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.

Please refer this link.

Minimum reproduction code

https://github.com/nestjs/nest-cli

Steps to reproduce

No response

Expected behavior

Code should be refactored.

Package version

11.0.7

NestJS version

No response

Node.js version

No response

In which operating systems have you tested?

  • [ ] macOS
  • [ ] Windows
  • [ ] Linux

Other

No response

onurravli avatar Jun 15 '25 17:06 onurravli

did you have any suggestions or resources on how to address that?

micalevisk avatar Jun 15 '25 17:06 micalevisk

Without background of why nestjs uses {shell: true}, I would suggest changing this default and also skipping the JSON-escaping that currently attempts to escape options when the shell option is not true. Then the provided flags would be provided directly to the program without any modifications.

As stands now, passing in an argument which contains a shell-style variable reference appears to result in the reference getting replaced by nest start.. And providing --no-shell to nest start results in extra quotes.

# All examples use single quotes to escape the references within my primary shell session:
$ echo '$USER'
$USER

# nest resolves variables:
$ yarnpkg nest start -- '$USER'
(node:70156) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
error: unknown command 'daniellamando'
                        ^
                        `-- unintended variable substitution!

# nest adds extra double quotes when --no-shell is passed:
$ yarnpkg nest start --no-shell -- '$USER'
error: unknown command '"$USER"'

The extra quotes means that --no-shell is not a workaround when trying to pass in arguments.

[!WARNING] This seems to be the exact sort of security vulnerability that DEP0190 aims to address! Note that nest start can run arbitrary programs:

$ yarnpkg nest start -- '$(wc -l /etc/passwd > /dev/stderr; date)'
(node:71680) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
     132 /etc/passwd
error: unknown command 'Thu Jun 26 13:32:29 CEST 2025'

danopia avatar Jun 26 '25 11:06 danopia

Would you like to create a PR for this issue?

kamilmysliwiec avatar Jun 30 '25 11:06 kamilmysliwiec

Iā€™d like to take this issue and work on it.

seoyeonjin avatar Aug 15 '25 09:08 seoyeonjin

Fix PR: https://github.com/nestjs/nest-cli/pull/3128 PTAL šŸ‘

injae-kim avatar Aug 15 '25 13:08 injae-kim

any update? what version would the fix be merged? thank you!

finkpong avatar Sep 29 '25 13:09 finkpong

šŸ†™

MrZyr0 avatar Oct 25 '25 18:10 MrZyr0

+1

shadyshoha avatar Nov 01 '25 16:11 shadyshoha