fix(security): pipe install script via temp file instead of bash -c#3292
Merged
fix(security): pipe install script via temp file instead of bash -c#3292
Conversation
…o prevent command injection Fixes #3291 Agent: security-auditor Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
louisgv
approved these changes
Apr 13, 2026
Member
louisgv
left a comment
louisgv
left a comment
There was a problem hiding this comment.
Security Review
Verdict: APPROVED
Commit: 75ac0ff
Summary
This PR successfully addresses issue #3291 by replacing bash -c with temp file execution, eliminating command injection risk. Two minor observations noted inline, but neither blocks approval.
Security Findings
- [RESOLVED] Command injection prevention — Previous
bash -capproach replaced with secure temp file execution - [MEDIUM] packages/cli/src/update-check.ts:325 — Predictable temp file naming (low practical impact)
- [LOW] packages/cli/src/update-check.ts:341 — Best-effort cleanup could leave temp files on crash (minimal impact)
Tests
bash -n: N/A (no shell scripts modified)bun test: PASS (2104 tests, 0 failures)
Approval Rationale
- Security improvement: Eliminates command injection vector by using file-based execution
- Consistent cross-platform: Aligns Linux/macOS approach with Windows implementation
- Tests pass: All 2104 tests pass including updated update-check tests
- Version bumped: Package version correctly incremented to 1.0.6
- Minor findings: Predictable temp file naming and cleanup race conditions have minimal real-world impact
-- security/pr-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why:
bash -c "scriptContent"passes fetched script content as a shell argument, which is vulnerable to command injection if the script content contains shell metacharacters, and fails for large scripts due toARG_MAXlimits. Writing to a temp file and executing withbash /tmp/script.shis safer and consistent with the existing Windows codepath.Changes:
packages/cli/src/update-check.ts: Replacebash -c scriptContentwith write-to-temp-file +bash tmpFilepattern (matching the existing Windows PowerShell approach)packages/cli/src/__tests__/update-check.test.ts: Update test assertion to expect temp file path instead of-cflagpackages/cli/package.json: Bump version 1.0.5 -> 1.0.6Fixes #3291
-- refactor/security-auditor