fix: escape executable name in libnpmexec run-script (#9467)

github-actions[bot] · rootvector2 · web-flow · commit 1bb1b8c2606b · 2026-06-02T11:33:47.000-07:00
Backport of #9436 to `release/v11`. Co-authored-by: Dexter.k <164054284+rootvector2@users.noreply.github.com>
diff --git a/workspaces/libnpmexec/lib/run-script.js b/workspaces/libnpmexec/lib/run-script.js
@@ -19,7 +19,9 @@ const run = async ({
   // necessary for preventing bash/cmd keywords from overriding
   if (!isWindowsShell) {
     if (args.length > 0) {
-      args[0] = '"' + args[0] + '"'
+      // single-quote so shell metacharacters in the executable name are taken
+      // literally; double quotes still expand $(), backticks, $var and "
+      args[0] = `'${args[0].replace(/'/g, `'\\''`)}'`
     }
   }
 
diff --git a/workspaces/libnpmexec/test/run-script.js b/workspaces/libnpmexec/test/run-script.js
@@ -130,6 +130,20 @@ t.test('isWindows', async t => {
   await runScript()
 })
 
+t.test('escapes executable name to neutralize shell metacharacters', async t => {
+  let pkg
+  const { runScript } = await mockRunScript(t, {
+    'ci-info': { isCI: true },
+    '@npmcli/run-script': async (opts) => {
+      pkg = opts.pkg
+    },
+    '../lib/is-windows.js': false,
+  })
+
+  await runScript({ args: [`evil'; touch pwned #`] })
+  t.equal(pkg.scripts.npx, `'evil'\\''; touch pwned #'`)
+})
+
 t.test('isNotWindows', async t => {
   const { runScript } = await mockRunScript(t, {
     'ci-info': { isCI: true },

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,9 @@ const run = async ({`
`19`	`19`	`// necessary for preventing bash/cmd keywords from overriding`
`20`	`20`	`if (!isWindowsShell) {`
`21`	`21`	`if (args.length > 0) {`
`22`		`- args[0] = '"' + args[0] + '"'`
	`22`	`+ // single-quote so shell metacharacters in the executable name are taken`
	`23`	`+ // literally; double quotes still expand $(), backticks, $var and "`
	`24`	+ args[0] = `'${args[0].replace(/'/g, `'\\''`)}'`
`23`	`25`	`}`
`24`	`26`	`}`
`25`	`27`