Overview - Nx

Nx

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
22.4.5
43a34d0b fix(core): prevent command injection in getNpmPackageVersion (#34309) ## Current Behavior The `getNpmPackageVersion` function in `packages/workspace/src/generators/utils/get-npm-package-version.ts` uses `execSync` with direct string interpolation of the `packageName` parameter. When a user runs `create-nx-workspace` with a custom `--preset` value that doesn't match a known preset, the value flows unsanitized into a shell command: ```js execSync(`npm view ${packageName}... version --json`) ``` This allows arbitrary command execution via shell metacharacters (e.g., `--preset='pkg$(malicious command)'`). ## Expected Behavior User-supplied package names are validated against a strict npm package name regex before being passed to any shell command. The function now uses `execFileSync` with an args array instead of `execSync` with string interpolation, providing defense in depth: 1. **Input validation** — rejects anything that isn't a valid npm package name 2. **Safe execution** — arguments are passed as an array so Node.js handles escaping, rather than concatenating into a raw shell string (cherry picked from commit 79d878f24041a680fa103eb1b346bab72b8e88d0)
3 hours ago by FrozenPandaz