fix(security): harden Windows child process spawning

2026-04-25 03:04:29 -04:00 · 2026-02-15 03:24:21 +01:00
parent 7b697d6128
commit a7eb0dd9a5
7 changed files with 29 additions and 9 deletions
--- a/src/process/exec.test.ts
+++ b/src/process/exec.test.ts
@@ -1,7 +1,16 @@
 import { describe, expect, it } from "vitest";
-import { runCommandWithTimeout } from "./exec.js";
+import { runCommandWithTimeout, shouldSpawnWithShell } from "./exec.js";

 describe("runCommandWithTimeout", () => {
+  it("never enables shell execution (Windows cmd.exe injection hardening)", () => {
+    expect(
+      shouldSpawnWithShell({
+        resolvedCommand: "npm.cmd",
+        platform: "win32",
+      }),
+    ).toBe(false);
+  });
+
  it("passes env overrides to child", async () => {
    const result = await runCommandWithTimeout(
      [process.execPath, "-e", 'process.stdout.write(process.env.OPENCLAW_TEST_ENV ?? "")'],