From cc5871a8babdf747143a3463a9d8ff6f4bdad57c Mon Sep 17 00:00:00 2001
From: Julius Marminge <jmarminge@gmail.com>
Date: Fri, 10 Apr 2026 00:58:49 -0700
Subject: [PATCH 1/2] Mitigate Windows GH CLI command injection

---
 apps/server/src/git/Layers/GitHubCli.ts | 1 +
 apps/server/src/processRunner.ts        | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/server/src/git/Layers/GitHubCli.ts b/apps/server/src/git/Layers/GitHubCli.ts
index 280679e337..9ac3c99ed1 100644
--- a/apps/server/src/git/Layers/GitHubCli.ts
+++ b/apps/server/src/git/Layers/GitHubCli.ts
@@ -168,6 +168,7 @@ const makeGitHubCli = Effect.sync(() => {
         runProcess("gh", input.args, {
           cwd: input.cwd,
           timeoutMs: input.timeoutMs ?? DEFAULT_TIMEOUT_MS,
+          shell: false,
         }),
       catch: (error) => normalizeGitHubCliError("execute", error),
     });
diff --git a/apps/server/src/processRunner.ts b/apps/server/src/processRunner.ts
index 5402612887..7def145493 100644
--- a/apps/server/src/processRunner.ts
+++ b/apps/server/src/processRunner.ts
@@ -8,6 +8,7 @@ export interface ProcessRunOptions {
   allowNonZeroExit?: boolean | undefined;
   maxBufferBytes?: number | undefined;
   outputMode?: "error" | "truncate" | undefined;
+  shell?: boolean | undefined;
 }
 
 export interface ProcessRunResult {
@@ -139,7 +140,7 @@ export async function runProcess(
       cwd: options.cwd,
       env: options.env,
       stdio: "pipe",
-      shell: process.platform === "win32",
+      shell: options.shell ?? (process.platform === "win32"),
     });
 
     let stdout = "";

From ce1b679cc951cee64aa4492feb3b9cb63e5a313a Mon Sep 17 00:00:00 2001
From: Julius Marminge <julius0216@outlook.com>
Date: Fri, 10 Apr 2026 01:06:46 -0700
Subject: [PATCH 2/2] Disable shell by default in process runner

- Keep `spawn` shell usage limited to Windows defaults
- Avoid shell-based command execution on other platforms
---
 apps/server/src/processRunner.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/server/src/processRunner.ts b/apps/server/src/processRunner.ts
index 7def145493..cb5881cef0 100644
--- a/apps/server/src/processRunner.ts
+++ b/apps/server/src/processRunner.ts
@@ -140,7 +140,7 @@ export async function runProcess(
       cwd: options.cwd,
       env: options.env,
       stdio: "pipe",
-      shell: options.shell ?? (process.platform === "win32"),
+      shell: options.shell ?? process.platform === "win32",
     });
 
     let stdout = "";