Bug Report
Description: packages/desktop-electron/src/main/cli.ts lines 122-238 contain OS command injection risk. The spawnCommand function accepts a raw string args parameter and interpolates it directly into shell commands (bash -c, WSL script) without escaping individual arguments. If any parameter (e.g. hostname) contains shell metacharacters like ; rm -rf / or $(whoami), they will be interpreted by the shell.
CWE: CWE-78 (OS Command Injection)
File: packages/desktop-electron/src/main/cli.ts:122-238
Severity: High
Reproduction:
Calling serve("127.0.0.1; rm -rf /", 4096, "pass") would produce a shell command where ; rm -rf / is executed as a separate command.
Proposed Fix: Change spawnCommand/buildCommand to accept string[] instead of string, and shellEscape each argument individually before interpolation.
Bug Report
Description:
packages/desktop-electron/src/main/cli.tslines 122-238 contain OS command injection risk. ThespawnCommandfunction accepts a raw stringargsparameter and interpolates it directly into shell commands (bash -c, WSL script) without escaping individual arguments. If any parameter (e.g.hostname) contains shell metacharacters like; rm -rf /or$(whoami), they will be interpreted by the shell.CWE: CWE-78 (OS Command Injection)
File:
packages/desktop-electron/src/main/cli.ts:122-238Severity: High
Reproduction:
Calling
serve("127.0.0.1; rm -rf /", 4096, "pass")would produce a shell command where; rm -rf /is executed as a separate command.Proposed Fix: Change
spawnCommand/buildCommandto acceptstring[]instead ofstring, andshellEscapeeach argument individually before interpolation.