DEP0190 (passing args to spawn with shell: true) isn't fixable when `stdio` option is required

[Knagis]

Version

24.1.0

Platform

Any

Subsystem

child_process

What steps will reproduce the bug?

child_process.spawn("command", ["arg1", "arg2"], { shell: true, stdio: ["ignore", "pipe", "pipe"] })

running this on node v24 will show DEP0190

When an args array is passed to child_process.execFile or child_process.spawn with the option { shell: true }, the values are not escaped, only space-separated, which can lead to shell injection.

However, there does not seem to be any alternative to fix this warning - since exec doesn't support custom stdio option.

How often does it reproduce? Is there a required condition?

What is the expected behavior? Why is that the expected behavior?

The warning is correct, however has to be a way for the developer to fix it which doesn't seem to be the case with the current child_process APIs.

What do you see instead?

Unfixable deprecation warning.

Additional information

No response

[bnoordhuis]

Don't pass {shell: true}? If you still want to start it through a shell, invoke /bin/sh or cmd.exe directly, ex:

const cp = spawn("/bin/sh", ["-c", "ls", "-al"], {stdio: ["ignore","pipe","pipe"]})

[Knagis]

yes, that is an option, except i now have to take care of selecting the right shell on different platforms that node did by itself, handling env variables etc.

If that is the actual recommendation, then perhaps simply the shell option as a whole should be deprecated for spawn? To encourage people to use alternatives from the get go.

[bnoordhuis]

@cjihrig Colin, if I recall right you were the one who added shell everywhere, right? Do you have opinions on this one?

[cjihrig]

@bnoordhuis not really. I didn't really agree with deprecating in the first place, but now that it's done, if the option is useless, maybe it should just be deprecated/removed (I haven't been following along with this too closely).

[mohd-akram]

Using shell isn't deprecated, args + shell is. A shell takes a string that can have one or more commands, metacharacters, newlines, etc. so the correct interface is to accept a single string as done with exec (which mirrors the C system call).

child_process.spawn("command", ["arg1", "arg2"], { shell: true, stdio: ["ignore", "pipe", "pipe"] })

You can just do child_process.spawn("command arg1 arg2", { shell: true, stdio: ["ignore", "pipe", "pipe"] }) instead.

The args parameter was deprecated because it gave the mistaken impression that it's safe to pass arguments this way. The args are not really arguments, they're just text concatenated with spaces i.e., the following would delete your root directory after running command:

child_process.spawn("command", ["&&", "rm -rf /"], { shell: true, stdio: ["ignore", "pipe", "pipe"] })

The issue was people were flicking shell to true and immediately introducing a vulnerability. Part of the reason people did this was because of the mitigation Node.js introduced that disabled running .cmd and .bat on Windows entirely unless shell was true, in which case you had to do your own escaping for cmd.exe, which is full of pitfalls and is often omitted. In some cases shell was enabled unconditionally by authors to work around this, so this mitigation might have actually led to more security issues. An alternative approach taken by eg. Rust and Zig is to do the appropriate escaping when a .bat or .cmd is run without having to enable the shell option. I've implemented the same mechanism in batspawn, but perhaps it would be better to have that in Node.js itself.

[Knagis]

@mohd-akram , thank you, the missing piece was that you can do child_process.spawn("command arg1 arg2", { shell: true, stdio: ["ignore", "pipe", "pipe"] }) - the docs doesn't make that option obvious (now knowing this, of course, [, args][,options] is obvious...) - in fact it uses wording like "third argument" referring to options implying that args must be passed to pass options and none of the given examples in spawn section pass arguments in the command itself; the Spawning .bat and .cmd files on Windows section does have such example.

of course, concatenating the arguments to the spawn command easily solves this issue.