Merge pull request #1520 from IgniteUI/dpetev/fix-start-process-exec

Fix start and other npm exec commands

Author: damyanpetev

packages/cli/lib/commands/start.ts

@@ -7,16 +7,16 @@ import { PositionalArgs, StartCommandType } from "./types";
 import { ArgumentsCamelCase } from "yargs";
 
 const execSyncNpmStart = (port: number, options: ExecSyncOptions): void => {
-	const args = ['start'];
 	if (port) {
 		// Validate port is a number to prevent command injection
 		if (!Number.isInteger(port) || port < 0 || port > 65535) {
 			Util.error(`Invalid port number: ${port}`, "red");
 			return;
 		}
-		args.push('--', `--port=${port}`);
+		Util.execSync(`npm start -- --port=${port}`, options);
+		return;
 	}
-	Util.spawnSync('npm', args, options);
+	Util.execSync(`npm start`, options);
 };
 
 const command: StartCommandType = {

packages/core/packages/PackageManager.ts

@@ -1,4 +1,4 @@
-import { spawn } from "child_process";
+import { exec } from "child_process";
 import * as path from "path";
 import { TemplateManager } from "../../cli/lib/TemplateManager";
 import { Config, FS_TOKEN, IFileSystem, ProjectTemplate } from "../types";
@@ -88,9 +88,8 @@ export class PackageManager {
 		const config = ProjectConfig.localConfig();
 		if (!config.packagesInstalled) {
 			let command: string;
-			let managerCommand: string;
+			const managerCommand = this.getManager();
 
-			managerCommand = this.getManager();
 			switch (managerCommand) {
 				case "npm":
 				/* passes through */
@@ -123,49 +122,52 @@ export class PackageManager {
 	}
 
 	public static removePackage(packageName: string, verbose: boolean = false): boolean {
+		let command: string;
 		const managerCommand = this.getManager();
-		let args: string[];
+		const sanitizePackage = Util.sanitizeShellArg(packageName);
 		switch (managerCommand) {
 			case "npm":
 			/* passes through */
 			default:
-				args = ['uninstall', packageName, '--quiet', '--save'];
+				command = `${managerCommand} uninstall ${sanitizePackage} --quiet --save`;
 				break;
 		}
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.spawnSync(managerCommand, args, { stdio: "pipe", encoding: "utf8" });
+			Util.execSync(command, { stdio: "pipe", encoding: "utf8" });
 		} catch (error) {
-			Util.log(`Error uninstalling package ${packageName} with ${managerCommand}`);
+			Util.log(`Error uninstalling package ${sanitizePackage} with ${managerCommand}`);
 			if (verbose) {
 				Util.log(error.message);
 			}
 			return false;
 		}
 
-		Util.log(`Package ${packageName} uninstalled successfully`);
+		Util.log(`Package ${sanitizePackage} uninstalled successfully`);
 		return true;
 	}
 
 	public static addPackage(packageName: string, verbose: boolean = false): boolean {
 		const managerCommand = this.getManager();
-		const args = this.getInstallArgs(packageName);
+		const sanitizePackage = Util.sanitizeShellArg(packageName);
+		const command = this.getInstallCommand(managerCommand, sanitizePackage);
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.spawnSync(managerCommand, args, { stdio: "pipe", encoding: "utf8" });
+			Util.execSync(command, { stdio: "pipe", encoding: "utf8" });
 		} catch (error) {
-			Util.log(`Error installing package ${packageName} with ${managerCommand}`);
+			Util.log(`Error installing package ${sanitizePackage} with ${managerCommand}`);
 			if (verbose) {
 				Util.log(error.message);
 			}
 			return false;
 		}
-		Util.log(`Package ${packageName} installed successfully`);
+		Util.log(`Package ${sanitizePackage} installed successfully`);
 		return true;
 	}
 
 	public static async queuePackage(packageName: string, verbose = false) {
-		const args = this.getInstallArgs(packageName).map(arg => arg === '--save' ? '--no-save' : arg);
+		const command = this.getInstallCommand(this.getManager(), Util.sanitizeShellArg(packageName))
+			.replace("--save", "--no-save");
 		const [packName, version] = packageName.split(/@(?=[^\/]+$)/);
 		const packageJSON = this.getPackageJSON();
 		if (!packageJSON.dependencies) {
@@ -190,24 +192,13 @@ export class PackageManager {
 		// D.P. Concurrent install runs should be supported
 		// https://github.com/npm/npm/issues/5948
 		// https://github.com/npm/npm/issues/2500
-		const managerCommand = this.getManager();
 		const task = new Promise<{ packageName, error, stdout, stderr }>((resolve, reject) => {
-			const child = spawn(managerCommand, args);
-			let stdout = '';
-			let stderr = '';
-			child.stdout?.on('data', (data) => {
-				stdout += data.toString();
-			});
-			child.stderr?.on('data', (data) => {
-				stderr += data.toString();
-			});
-			child.on('close', (code) => {
-				const error = code !== 0 ? new Error(`Process exited with code ${code}`) : null;
-				resolve({ packageName, error, stdout, stderr });
-			});
-			child.on('error', (err) => {
-				resolve({ packageName, error: err, stdout, stderr });
-			});
+			const child = exec(
+				command, {},
+				(error, stdout, stderr) => {
+					resolve({ packageName, error, stdout, stderr });
+				}
+			);
 		});
 		task["packageName"] = packName;
 		this.installQueue.push(task);
@@ -233,10 +224,10 @@ export class PackageManager {
 	}
 
 	public static ensureRegistryUser(config: Config, message: string): boolean {
-		const fullPackageRegistry = config.igPackageRegistry;
+		const fullPackageRegistry = Util.sanitizeShellArg(config.igPackageRegistry);
 		try {
 			// tslint:disable-next-line:object-literal-sort-keys
-			Util.spawnSync('npm', ['whoami', `--registry=${fullPackageRegistry}`], { stdio: 'pipe', encoding: 'utf8' });
+			Util.execSync(`npm whoami --registry=${fullPackageRegistry}`, { stdio: "pipe", encoding: "utf8" });
 		} catch (error) {
 			// try registering the user:
 			Util.log(
@@ -257,20 +248,16 @@ export class PackageManager {
 			if (process.stdin.isTTY) {
 				process.stdin.setRawMode(true);
 			}
-			const cmd = /^win/.test(process.platform) ? "npm.cmd" : "npm"; //https://github.com/nodejs/node/issues/3675
-			const login = Util.spawnSync(cmd,
-				["adduser", `--registry=${fullPackageRegistry}`, `--scope=@infragistics`, `--auth-type=legacy`],
-				{ stdio: "inherit" }
-			);
-			if (login?.status === 0) {
+
+			try {
+				Util.execSync(
+					`npm login --registry=${fullPackageRegistry} --scope=@infragistics --auth-type=legacy`,
+					{ stdio: "inherit" }
+				);
 				//make sure scope is configured:
-				try {
-					Util.spawnSync('npm', ['config', 'set', `@infragistics:registry`, fullPackageRegistry]);
-					return true;
-				} catch (error) {
-					return false;
-				}
-			} else {
+				Util.execSync(`npm config set @infragistics:registry ${fullPackageRegistry}`);
+				return true;
+			} catch (error) {
 				Util.log(message, "red");
 				return false;
 			}
@@ -292,11 +279,7 @@ export class PackageManager {
 		}
 	}
 
-	private static getInstallArgs(packageName: string): string[] {
-		return ['install', packageName, '--quiet', '--save'];
-	}
-
-	private static getManager(/*config:Config*/): string {
+	private static getManager(/*config:Config*/): 'npm' {
 		//stub to potentially swap out managers
 		return "npm";
 	}

packages/core/util/Util.ts

@@ -283,11 +283,6 @@ export class Util {
 		}
 
 		for (const key of Object.keys(source)) {
-			// Skip keys that can affect the prototype of objects to avoid prototype pollution vulnerabilities
-			if (key === "__proto__" || key === "constructor") {
-				continue;
-			}
-
 			const sourceKeyIsArray = Array.isArray(source[key]);
 			const targetHasThisKey = target.hasOwnProperty(key);
 
@@ -321,6 +316,21 @@ export class Util {
 		}
 	}
 
+	/**
+	 * Fairly aggressive sanitize removing anything but ASCII, numbers and a few needed chars that have no action:
+	 * - semicolons (:), dots (.), underscores (_) for paths/URLs
+	 * - dashes (-) & forward slashes (/) for packages and paths/URLs
+	 * - at (@), non-leading tilde (~) for package scope & version
+	 * @remarks
+	 * Most shells should be UTF-enabled, but current usage is very limited thus no need for `\p{L}`
+	 */
+	public static sanitizeShellArg(arg: string): string {
+		return arg
+			.replace(/[^a-z0-9@:_~\^\/\.\-]/gi, '') // remove unsafe chars
+			.replace(/\^(?!\d)/g, '') // keep only ^<digit>
+			.replace(/^~/, ''); // remove leading ~
+	}
+
 	/**
 	 * Execute synchronous command with options
 	 * @param command Command to be executed
@@ -353,29 +363,18 @@ export class Util {
 	}
 
 	/**
-     * Execute synchronous command with options using spawnSync
-     * @param command Command to be executed
-     * @param args Command arguments
-     * @param options Command options
-     * @throws {Error} On non-zero exit code. Error has 'status', 'signal', 'output', 'stdout', 'stderr'
-     */
-	public static spawnSync(command: string, args: string[], options?: SpawnSyncOptions) {
-		try {
-			return spawnSync(command, args, options);
-		} catch (error) {
-			// Handle potential process interruption
-			// Check if the error output ends with "^C"
-			if (error.stderr && error.stderr.toString().endsWith() === "^C") {
-				return process.exit();
-			}
-
-			// Handle specific exit codes for different signals
-			if (error.status === 3221225786 || error.status > 128) {
-				return process.exit();
-			}
-
-			throw error;
-		}
+	 * Execute synchronous command with options using spawnSync
+	 * @param command Command to be executed
+	 * NOTE: `spawn` without `shell` (unsafe) is **not** equivalent to `exec` & requires direct path to run the correct process on win,
+	 * e.g. `npm.cmd` but that is also blocked in node@24+ for security reasons
+	 * Do not call with/add commands that are not known binaries without validating first
+	 * @param args Command arguments
+	 * @param options Command options
+	 * @returns {SpawnSyncReturns} object with status and stdout
+	 * @remarks Consuming code MUST handle the result and check for failure status!
+	 */
+	public static spawnSync(command: 'node' | 'git', args: string[], options?: Omit<SpawnSyncOptions, 'shell'>) {
+		return spawnSync(command, args, options);
 	}
 
 	/**
@@ -388,8 +387,7 @@ export class Util {
 			const options: any = { cwd: path.join(parentRoot, projectName), stdio: [process.stdin, "ignore", "ignore"] };
 			Util.execSync("git init", options);
 			Util.execSync("git add .", options);
-			const commitMessage = `"Initial commit for project: ${projectName}"`;
-			Util.spawnSync('git', ['commit', '-m', commitMessage], options);
+			Util.execSync("git commit -m " + "\"Initial commit for project\"", options);
 			Util.log(Util.greenCheck() + " Git Initialized and Project '" + projectName + "' Committed");
 		} catch (error) {
 			Util.error("Git initialization failed. Install Git in order to automatically commit the project.", "yellow");

packages/ng-schematics/src/ng-new/index.ts

@@ -174,7 +174,7 @@ export function newProject(options: OptionsSchema): Rule {
 				}
 				if (!options.skipGit) {
 					const gitTask = context.addTask(
-						new RepositoryInitializerTask(options.name, { message: `Initial commit for project: ${options.name}` }),
+						new RepositoryInitializerTask(options.name, { message: `Initial commit for project` }),
 						[...installChain] //copy
 					);
 					installChain.push(gitTask);

packages/ng-schematics/src/ng-new/index_spec.ts

@@ -152,7 +152,7 @@ describe("Schematics ng-new", () => {
 				authorEmail: undefined,
 				authorName: undefined,
 				commit: true,
-				message: `Initial commit for project: ${workingDirectory}`
+				message: `Initial commit for project`
 			};
 			const expectedStart: RunSchematicTaskOptions<any> = {
 				collection: null,
@@ -206,7 +206,7 @@ describe("Schematics ng-new", () => {
 				authorEmail: undefined,
 				authorName: undefined,
 				commit: true,
-				message: `Initial commit for project: ${workingDirectory}`
+				message: `Initial commit for project`
 			};
 			expect(taskOptions.length).toBe(2);
 			expect(mockProject.upgradeIgniteUIPackages).toHaveBeenCalled();

spec/acceptance/new-spec.ts

@@ -135,7 +135,7 @@ describe("New command", () => {
 		process.chdir(projectName);
 		expect(fs.existsSync(".git")).toBeTruthy();
 		expect(Util.execSync("git log -1 --pretty=format:'%s'").toString())
-			.toMatch("Initial commit for project: " + projectName);
+			.toMatch("Initial commit for project");
 		process.chdir("../");
 		testFolder = "./angularProj";
 	});

spec/unit/new-spec.ts

@@ -284,24 +284,12 @@ describe("Unit - New command", () => {
 			getProjectLibrary: mockProjLib
 		});
 
-		spyOn(Util, "spawnSync").and.returnValues({
-			status: 0,
-			pid: 0,
-			output: [],
-			stdout: "",
-			stderr: "",
-			signal: "SIGABRT"
-		});
-
 		await newCmd.handler({ name: projectName, framework: "jq", _: ["new"], $0: "new" });
 
 		expect(Util.execSync).toHaveBeenCalledWith("git init", jasmine.any(Object));
 		expect(Util.execSync).toHaveBeenCalledWith("git add .", jasmine.any(Object));
-		expect(Util.spawnSync).toHaveBeenCalledWith(
-			"git",
-			['commit', '-m', `"Initial commit for project: ${projectName}"`],
-			{ cwd: path.join(process.cwd(), projectName), stdio: [process.stdin, "ignore", "ignore"] }
-		);
+		expect(Util.execSync).toHaveBeenCalledWith("git commit -m \"Initial commit for project\"",
+			jasmine.any(Object));
 		expect(Util.log).toHaveBeenCalledWith(
 			jasmine.stringMatching("Git Initialized and Project '" + projectName + "' Committed")
 		);