fix: use execFile for pnpm remove to avoid shell interpolation

fernandomg · fernandomg · commit 3642f3d740dd · 2026-03-20T15:07:59.000+01:00
installPackages interpolated package names from featureDefinitions
into a shell command string via exec(). While the data is developer-
controlled, this contradicts the stated security principle. Switch to
execFile with an args array for consistency with cloneRepo.
diff --git a/source/__tests__/operations/installPackages.test.ts b/source/__tests__/operations/installPackages.test.ts
@@ -6,7 +6,7 @@ vi.mock('../../operations/exec.js', () => ({
   execFile: vi.fn().mockResolvedValue(''),
 }))
 
-const { exec } = await import('../../operations/exec.js')
+const { exec, execFile } = await import('../../operations/exec.js')
 const { installPackages } = await import('../../operations/installPackages.js')
 
 describe('installPackages', () => {
@@ -50,25 +50,28 @@ describe('installPackages', () => {
       await installPackages('/project/my_app', 'custom', ['demo'])
 
       const removeCall = vi
-        .mocked(exec)
-        .mock.calls.find((call) => typeof call[0] === 'string' && call[0].startsWith('pnpm remove'))
+        .mocked(execFile)
+        .mock.calls.find((call) => call[0] === 'pnpm' && call[1][0] === 'remove')
       expect(removeCall).toBeDefined()
 
-      const removeCmd = removeCall?.[0] as string
+      const removeArgs = removeCall?.[1] as string[]
       for (const pkg of featureDefinitions.subgraph.packages) {
-        expect(removeCmd).toContain(pkg)
+        expect(removeArgs).toContain(pkg)
       }
       for (const pkg of featureDefinitions.typedoc.packages) {
-        expect(removeCmd).toContain(pkg)
+        expect(removeArgs).toContain(pkg)
       }
     })
 
     it('runs postinstall after pnpm remove', async () => {
       const callOrder: string[] = []
-      vi.mocked(exec).mockImplementation(async (cmd) => {
-        if (typeof cmd === 'string' && cmd.startsWith('pnpm remove')) {
+      vi.mocked(execFile).mockImplementation(async (_file, args) => {
+        if (args[0] === 'remove') {
           callOrder.push('remove')
         }
+        return ''
+      })
+      vi.mocked(exec).mockImplementation(async (cmd) => {
         if (typeof cmd === 'string' && cmd.includes('postinstall')) {
           callOrder.push('postinstall')
         }
@@ -84,13 +87,36 @@ describe('installPackages', () => {
       await installPackages('/project/my_app', 'custom', ['demo', 'subgraph'])
 
       const removeCall = vi
-        .mocked(exec)
-        .mock.calls.find((call) => typeof call[0] === 'string' && call[0].startsWith('pnpm remove'))
+        .mocked(execFile)
+        .mock.calls.find((call) => call[0] === 'pnpm' && call[1][0] === 'remove')
+      expect(removeCall).toBeDefined()
+
+      const removeArgs = removeCall?.[1] as string[]
+      for (const pkg of featureDefinitions.subgraph.packages) {
+        expect(removeArgs).not.toContain(pkg)
+      }
+    })
+
+    it('uses execFile for pnpm remove to avoid shell interpolation', async () => {
+      await installPackages('/project/my_app', 'custom', ['demo'])
+
+      expect(execFile).toHaveBeenCalledWith('pnpm', expect.arrayContaining(['remove']), {
+        cwd: '/project/my_app',
+      })
+    })
+
+    it('passes each package as a separate arg to execFile', async () => {
+      await installPackages('/project/my_app', 'custom', ['demo'])
+
+      const removeCall = vi
+        .mocked(execFile)
+        .mock.calls.find((call) => call[0] === 'pnpm' && call[1][0] === 'remove')
       expect(removeCall).toBeDefined()
 
-      const removeCmd = removeCall?.[0] as string
+      const removeArgs = removeCall?.[1] as string[]
+      expect(removeArgs[0]).toBe('remove')
       for (const pkg of featureDefinitions.subgraph.packages) {
-        expect(removeCmd).not.toContain(pkg)
+        expect(removeArgs).toContain(pkg)
       }
     })
   })
diff --git a/source/operations/installPackages.ts b/source/operations/installPackages.ts
@@ -1,7 +1,7 @@
 import type { FeatureName } from '../constants/config.js'
 import type { InstallationType } from '../types/types.js'
 import { getPackagesToRemove } from '../utils/utils.js'
-import { exec } from './exec.js'
+import { exec, execFile } from './exec.js'
 
 export async function installPackages(
   projectFolder: string,
@@ -20,6 +20,6 @@ export async function installPackages(
     return
   }
 
-  await exec(`pnpm remove ${packagesToRemove.join(' ')}`, { cwd: projectFolder })
+  await execFile('pnpm', ['remove', ...packagesToRemove], { cwd: projectFolder })
   await exec('pnpm run postinstall', { cwd: projectFolder })
 }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import type { FeatureName } from '../constants/config.js'`
`2`	`2`	`import type { InstallationType } from '../types/types.js'`
`3`	`3`	`import { getPackagesToRemove } from '../utils/utils.js'`
`4`		`-import { exec } from './exec.js'`
	`4`	`+import { exec, execFile } from './exec.js'`
`5`	`5`
`6`	`6`	`export async function installPackages(`
`7`	`7`	`projectFolder: string,`
`@@ -20,6 +20,6 @@ export async function installPackages(`
`20`	`20`	`return`
`21`	`21`	`}`
`22`	`22`
`23`		- await exec(`pnpm remove ${packagesToRemove.join(' ')}`, { cwd: projectFolder })
	`23`	`+ await execFile('pnpm', ['remove', ...packagesToRemove], { cwd: projectFolder })`
`24`	`24`	`await exec('pnpm run postinstall', { cwd: projectFolder })`
`25`	`25`	`}`