fix: windows下执行spawn报错

[shijie-todd]

---

name: windows下执行spawn报错
about: windows下执行spawn报错

提示：越详细的信息越有助于排查和解决问题，如果方便请加入本项目 README.md 最下面的 QQ 群或者微信群提供更详细的信息

插件版本

2.0.0-beta.6

Bug 类型

• 安装插件后启动项目编译失败
• 按住组合键无筛选框
• 点击筛选框无法打开 IDE
• [ √] 其他问题

Bug 描述

使用AI Assistant功能，使用的是claude code 的cli模式，在对话框发送信息以后，控制台报错如下，原因是windows下执行where claude 找到的 claude文件不是spawn可以执行的文件，应该执行claude.cmd

系统

• [√ ] windows(未使用 wsl 虚拟机)
• windows(使用了 wsl 虚拟机)
• mac
• linux

你使用的打包器及版本

• webpack
• [√ ] vite
• rspack
• umijs
• 其他

你使用的 web 框架

• react
• [√ ] vue
• nuxt
• next.js
• svelte
• astro
• solid
• preact
• qwik
• 其他

自检信息

• [√ ] 你的浏览器、IDE、代码是否在一台机器上(非远程开发机或者云开发机情况)

• [√ ] 浏览器控制台是否有打印组合按键提示信息
  
  

• [√ ] 页面 DOM 是否有注入 data-insp-path 属性
  
  

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Fix Windows spawn execution error for Claude CLI

🐞 Bug fix

Walkthroughs

Description

• Fix Windows spawn execution error for Claude CLI
• Normalize CLI path to use .cmd wrapper on Windows
• Add shell option for .cmd/.bat/.ps1 execution
• Improve path parsing with cross-platform line ending support

Diagram

flowchart LR
  A["Windows where claude"] -->|finds| B["claude file without extension"]
  B -->|normalizeClaudeCliPathForWindowsSpawn| C["claude.cmd wrapper"]
  C -->|cliPathNeedsShellSpawnOnWindows| D["spawn with shell: true"]
  D -->|success| E["CLI execution works"]

Loading

File Changes

1. packages/core/src/server/ai-provider-claude.ts 🐞 Bug fix +41/-2

Add Windows CLI path normalization and shell spawn handling

• Added normalizeClaudeCliPathForWindowsSpawn() function to convert bare claude file to
 claude.cmd on Windows
• Added cliPathNeedsShellSpawnOnWindows() function to detect when shell option is needed for spawn
• Updated findClaudeCodeCli() to normalize CLI path and handle cross-platform line endings
• Applied shell option to spawn calls in getModelInfo() and queryViaCli() functions

packages/core/src/server/ai-provider-claude.ts

---

2. packages/core/types/server/ai-provider-claude.d.ts 🐞 Bug fix +1/-1

Update setupSdkEnvironment return type annotation

• Updated setupSdkEnvironment() return type from void to () => void

packages/core/types/server/ai-provider-claude.d.ts

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0) 🎨 UX Issues (0)

1. Shell spawn command injection ☑ 🐞 ⛨

Description

在 Windows 上当 CLI 路径为 .cmd/.bat 时启用 shell: true，而 queryViaCli 在无 inputMessage 分支会把用户请求里的
prompt 作为命令行参数传给 shell 解析，导致 prompt 中的特殊字符/引号可能被 cmd.exe 解释并形成命令注入或直接破坏命令行解析。由于 /ai
接口允许跨域请求，恶意网页可远程提交该 prompt 触发本机命令执行风险。

Code

packages/core/src/server/ai-provider-claude.ts[707]

+    ...(cliPathNeedsShellSpawnOnWindows(cliPath) ? { shell: true } : {}),

Evidence

queryViaCli 在 inputMessage 为空时把 prompt 放进 args（即命令行参数）；本 PR 又在 Windows 的 .cmd/.bat 情况下为
spawn 打开 shell: true，这会让参数经过 cmd.exe 的命令行解析。prompt 来源于 HTTP /ai 请求体中的 message，并在
handleClaudeRequest 中直接参与 prompt 构建，没有任何转义/白名单处理；同时 server 端对外暴露 /ai 且 CORS 允许任意
Origin，从而使该输入具备跨站可控性。

packages/core/src/server/ai-provider-claude.ts[636-656]
packages/core/src/server/ai-provider-claude.ts[703-708]
packages/core/src/server/ai-provider-claude.ts[566-575]
packages/core/src/server/ai-provider-claude.ts[299-333]
packages/core/src/server/ai.ts[223-249]
packages/core/src/server/server.ts[72-78]
packages/core/src/server/server.ts[148-152]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
On Windows, `shell: true` is enabled for `.cmd/.bat` Claude CLI execution. When `inputMessage` is undefined, `queryViaCli` passes the user-derived `prompt` as a command-line argument, which is then parsed by `cmd.exe` when `shell: true` is used. This creates a command-injection risk and can break execution when the prompt contains quotes or shell metacharacters.
## Issue Context
- `prompt` is constructed from the HTTP `/ai` request body field `message` and is not escaped.
- The server sets permissive CORS headers and exposes `/ai`, so remote web pages can submit crafted prompts.
## Fix Focus Areas
- packages/core/src/server/ai-provider-claude.ts[636-714]
- packages/core/src/server/ai-provider-claude.ts[566-575]
- packages/core/src/server/ai-provider-claude.ts[299-372]
## Suggested fix approach
1. When `cliPathNeedsShellSpawnOnWindows(cliPath)` is true, do **not** put user-controlled `prompt` on the argv.
2. Prefer forcing the stdin JSON input path on Windows shell-spawn:
 - Build a `ClaudeCliInputMessage` even for text-only prompts (images can be empty),
 - Use `--input-format stream-json` branch so argv becomes static, and write the message JSON to stdin.
3. (Optional defense-in-depth) Tighten exposure of `/ai` (e.g., require a token / restrict Origin) if this endpoint is intended to be local-only.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more