[Security] Add command safety check to execCommand

gonzaloriestra · cursoragent · gonzaloriestra · commit 73306daa6eed · 2026-05-04T10:23:16.000+02:00
This change adds a call to `checkCommandSafety` in the `execCommand` function in `packages/cli-kit/src/public/node/system.ts`. This ensures that any command executed via `execCommand` is checked for unsecure binaries in the current working directory, preventing binary planting/PATH hijacking attacks.

A test case has been added to `packages/cli-kit/src/public/node/system.test.ts` to verify this behavior.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/packages/cli-kit/src/public/node/system.test.ts b/packages/cli-kit/src/public/node/system.test.ts
@@ -266,6 +266,17 @@ describe('execCommand', () => {
     // Then
     expect(execaCommand).toHaveBeenCalledWith('cat', expect.objectContaining({stdin: 'inherit'}))
   })
+
+  test('raises an error if the command to run is found in the current directory', async () => {
+    // Given
+    vi.mocked(which.sync).mockReturnValueOnce('/currentDirectory/command')
+
+    // When
+    const got = system.execCommand('command', {cwd: '/currentDirectory'})
+
+    // Then
+    await expect(got).rejects.toThrowError('Skipped run of unsecure binary command found in the current directory.')
+  })
 })
 
 describe('isStdinPiped', () => {
diff --git a/packages/cli-kit/src/public/node/system.ts b/packages/cli-kit/src/public/node/system.ts
@@ -206,6 +206,10 @@ export async function execCommand(command: string, options?: ExecOptions): Promi
     env.FORCE_COLOR = '1'
   }
   const executionCwd = options?.cwd ?? cwd()
+  const [cmd] = parseCommand(command)
+  if (cmd) {
+    checkCommandSafety(cmd, {cwd: executionCwd})
+  }
   try {
     await execaCommand(command, {
       env,
