fix(cli): Use explicit shell invocation to prevent command injection (VULN-1080)

[fix-it-felix-sentry]

Summary

This PR addresses a security finding identified by Semgrep regarding potential command injection vulnerability in the spotlight run CLI command.

Changes

• Replaced implicit shell=true option with explicit shell invocation
• Uses sh -c on Unix systems and cmd.exe /c on Windows
• Maintains backward compatibility with package.json script execution
• Removes the shell variable as it's no longer needed

Technical Details

The previous implementation used spawn() with shell: true, which can be vulnerable to command injection if user input is not properly sanitized. While this was a false positive (the input comes from the user's own package.json), the fix follows security best practices by being explicit about shell invocation.

Before:

cmdArgs = [packageJson.scriptCommand];
shell = true;
spawn(cmdArgs[0], cmdArgs.slice(1), { shell, ... });

After:

const shellExecutable = process.platform === "win32" ? "cmd.exe" : "sh";
const shellFlag = process.platform === "win32" ? "/c" : "-c";
cmdArgs = [shellExecutable, shellFlag, packageJson.scriptCommand];
spawn(cmdArgs[0], cmdArgs.slice(1), { ... });

Testing

The existing E2E tests in tests/e2e/cli/run.e2e.test.ts should verify that:

• Commands still execute correctly
• Environment variables are properly set
• Both Unix and Windows platforms work as expected

References

• Parent ticket: https://linear.app/getsentry/issue/VULN-1080
• Child ticket: https://linear.app/getsentry/issue/BE-623
• Semgrep Rule
• OWASP Command Injection Guide

[linear]

VULN-1080 Command Injection vulnerability in getsentry/spotlight server/cli/run.ts

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
spotlightjs	Skipped		Feb 18, 2026 10:27pm

[github-actions]

Semver Impact of This PR

🟢 Patch (bug fixes)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

---

New Features ✨

• (telemetry) EmptyState component by Shubhdeep12 in #1264
• (ui) Collapsible insights section by Shubhdeep12 in #1263
• Added new codecov action by MathurAditya724 in #1255

Bug Fixes 🐛

Cli

• Use explicit shell invocation to prevent command injection (VULN-1080) by fix-it-felix-sentry[bot] in #1271

• Show options in command-specific help output by BYK in #1260

Other

• (deps) Address Dependabot security alerts by BYK in #1261
• (ui) Update TelemetryView layout for better responsiveness by Shubhdeep12 in #1262
• Updated the codecov action to point to getsentry by MathurAditya724 in #1259

Internal Changes 🔧

Deps

• Bump hono from 4.11.4 to 4.11.7 by dependabot in #1267
• Bump hono from 4.10.3 to 4.11.4 by dependabot in #1254

Other

• (ci) Fix workflow warnings for cache action and codecov by BYK in #1251
• (release) Fix Docker Latest Target by BYK in #1252
• Use pull_request_target for changelog preview by BYK in #1256

Other

• Update documentation link in README.md by sergical in #1253

---

_{🤖 This preview updates automatically when you update the PR.}

[github-actions]

Codecov Results 📊

✅ Patch coverage is 100.00%. Project has 1348 uncovered lines.
✅ Project coverage is 76.31%. Comparing base (base) to head (head).

Files with missing lines (31)

File	Patch %	Lines
event.ts	52.61%	⚠️ 263 Missing
mcp.ts	65.91%	⚠️ 151 Missing
messageBuffer.ts	67.57%	⚠️ 120 Missing
docker-compose.ts	77.33%	⚠️ 85 Missing
utils.ts	31.71%	⚠️ 84 Missing
extras.ts	28.13%	⚠️ 69 Missing
debugLogging.ts	29.47%	⚠️ 67 Missing
utils.ts	75.28%	⚠️ 66 Missing
index.ts	24.59%	⚠️ 46 Missing
cors.ts	91.08%	⚠️ 39 Missing and 1 partials
logs.ts	28.85%	⚠️ 37 Missing
traces.ts	93.10%	⚠️ 33 Missing and 1 partials
userAgent.ts	52.63%	⚠️ 27 Missing
index.ts	80.47%	⚠️ 25 Missing
utils.ts	66.67%	⚠️ 23 Missing
errors.ts	75.53%	⚠️ 23 Missing
JsonViewer.tsx	71.62%	⚠️ 21 Missing
traces.ts	75.86%	⚠️ 21 Missing
processEnvelope.ts	86.67%	⚠️ 18 Missing
eventContainer.ts	78.05%	⚠️ 18 Missing
open.ts	42.86%	⚠️ 16 Missing
CodeViewer.tsx	54.55%	⚠️ 15 Missing
contentType.ts	66.67%	⚠️ 15 Missing
Attachment.tsx	90.00%	⚠️ 12 Missing and 1 partials
helpers.ts	70.27%	⚠️ 11 Missing
streaming.ts	76.09%	⚠️ 11 Missing
ShikiProvider.tsx	54.17%	⚠️ 11 Missing
AnsiText.tsx	91.00%	⚠️ 9 Missing
logger.ts	65.22%	⚠️ 8 Missing
logger.ts	87.50%	⚠️ 4 Missing and 1 partials
profileChunkProcessor.ts	100.00%	⚠️ 1 partials

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    76.31%    76.31%        —%
==========================================
  Files           47        47         —
  Lines         5690      5690         —
  Branches       611       611         —
==========================================
+ Hits          4342      4342         —
- Misses        1348      1348         —
- Partials         5         5         —

---

Generated by Codecov Action

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Windows shell invocation missing /d and /s flags

Medium Severity

On Windows, Node.js shell: true internally invokes cmd.exe /d /s /c "command", but the replacement only uses /c. The missing /d flag means registry AutoRun commands could execute before the user's script (ironically a security regression for a security fix). The missing /s flag changes how cmd.exe handles quote stripping after /c, which can break scripts containing quoted arguments (e.g., node -e "console.log('hi')"). The command also isn't wrapped in double quotes as Node.js does internally.

Additional Locations (1)

• packages/spotlight/src/server/cli/run.ts#L257-L260