From a1ffcb71fd3b003270c51af57cfb259de52c2aa2 Mon Sep 17 00:00:00 2001
From: "fix-it-felix-sentry[bot]"
 <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com>
Date: Wed, 18 Feb 2026 14:27:20 -0800
Subject: [PATCH] fix(cli): Use explicit shell invocation to prevent command
 injection

This change addresses VULN-1080 by replacing the implicit shell=true option
with explicit shell invocation using sh/cmd.exe. This provides the same
functionality while being more explicit about shell execution and avoiding
potential command injection risks.

Changes:
- Removed shell=true option from spawn() call
- Added explicit shell executable (sh on Unix, cmd.exe on Windows)
- Used shell flags (-c for Unix, /c for Windows) to execute commands
- Maintained backward compatibility with package.json script execution

Resolves: https://linear.app/getsentry/issue/VULN-1080
Resolves: https://linear.app/getsentry/issue/BE-623
---
 packages/spotlight/src/server/cli/run.ts | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/packages/spotlight/src/server/cli/run.ts b/packages/spotlight/src/server/cli/run.ts
index b935d7106..524f1d03e 100644
--- a/packages/spotlight/src/server/cli/run.ts
+++ b/packages/spotlight/src/server/cli/run.ts
@@ -197,7 +197,6 @@ export async function handler({
   if (open) {
     openInBrowser(actualServerPort);
   }
-  let shell = false;
   let stdin: string | undefined = undefined;
   const env = {
     ...process.env,
@@ -238,8 +237,11 @@ export async function handler({
       } else {
         logger.info(`Using package.json script: ${packageJson.scriptName}`);
         metrics.count("cli.run.autodetect", 1, { attributes: { type: "package-json" } });
-        cmdArgs = [packageJson.scriptCommand];
-        shell = true;
+        // Use explicit shell invocation instead of shell=true to avoid command injection risks
+        // This provides the same functionality while being more explicit about shell execution
+        const shellExecutable = process.platform === "win32" ? "cmd.exe" : "sh";
+        const shellFlag = process.platform === "win32" ? "/c" : "-c";
+        cmdArgs = [shellExecutable, shellFlag, packageJson.scriptCommand];
         env.PATH = path.resolve("./node_modules/.bin") + path.delimiter + env.PATH;
       }
     } else if (dockerCompose) {
@@ -251,8 +253,11 @@ export async function handler({
     } else if (packageJson) {
       logger.info(`Using package.json script: ${packageJson.scriptName}`);
       metrics.count("cli.run.autodetect", 1, { attributes: { type: "package-json" } });
-      cmdArgs = [packageJson.scriptCommand];
-      shell = true;
+      // Use explicit shell invocation instead of shell=true to avoid command injection risks
+      // This provides the same functionality while being more explicit about shell execution
+      const shellExecutable = process.platform === "win32" ? "cmd.exe" : "sh";
+      const shellFlag = process.platform === "win32" ? "/c" : "-c";
+      cmdArgs = [shellExecutable, shellFlag, packageJson.scriptCommand];
       env.PATH = path.resolve("./node_modules/.bin") + path.delimiter + env.PATH;
     }
   } else {
@@ -283,7 +288,6 @@ export async function handler({
   const runCmd = spawn(cmdArgs[0], cmdArgs.slice(1), {
     cwd: process.cwd(),
     env,
-    shell,
     windowsVerbatimArguments: true,
     windowsHide: true,
     stdio: [stdinMode, "pipe", "pipe"],