Skip to content

fix(core): remove shell: true from spawn() in ralph checks#243

Open
0xAxiom wants to merge 1 commit intomainfrom
fix/remove-shell-injection-risk
Open

fix(core): remove shell: true from spawn() in ralph checks#243
0xAxiom wants to merge 1 commit intomainfrom
fix/remove-shell-injection-risk

Conversation

@0xAxiom
Copy link
Copy Markdown
Owner

@0xAxiom 0xAxiom commented May 1, 2026

What

Removes shell: true from the spawn() call in core/src/ralph/checks.ts.

Why

shell: true enables shell interpretation of the command string, which creates a shell injection vector. If any argument or cwd value ever contained shell metacharacters (;, &&, $(...), etc.), the shell would interpret them.

In this specific function, all callers pass hardcoded commands (npm, npx) with fixed argument arrays, so shell interpretation provides zero benefit while adding unnecessary risk. Static analysis tools (e.g. the ralph security scanner already present in this repo) correctly flag this pattern.

Before:

const proc = spawn(command, args, {
  cwd,
  shell: true,   // ← unnecessary, widens attack surface
  stdio: ['pipe', 'pipe', 'pipe'],
});

After:

const proc = spawn(command, args, {
  cwd,
  stdio: ['pipe', 'pipe', 'pipe'],
});

Scope

Single-line change in core/src/ralph/checks.ts:25. No behaviour change on Linux/macOS where npm and npx are directly executable. If Windows support is needed in future, shell: process.platform === 'win32' is the idiomatic approach.

Tested

  • npm run type-check passes (exit 0)
  • npm run lint output unchanged

🤖 Generated with Claude Code

@0xAxiom @claude
fix(core): remove shell: true from spawn() in ralph checks
55bfcce 
using shell: true unnecessarily expands the attack surface: if any
argument or path ever contains shell metacharacters, the shell would
interpret them. all commands in runCommand() are hardcoded (npm, npx)
with fixed arg arrays, so shell interpretation provides no benefit.

removing shell: true eliminates the vector and silences the static
analysis warning. on linux/macos npm and npx are directly executable;
if windows support is needed in future, callers can pass shell: true
explicitly or use spawn's shell option conditionally.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@0xAxiom 0xAxiom requested a review from MeltedMindz as a code owner May 1, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MeltedMindz MeltedMindz Awaiting requested review from MeltedMindz MeltedMindz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0xAxiom