Security Bug: Shell Command Injection
File: src/task/runtime/BackgroundTaskRuntime.ts lines 100-105
child = this.options.spawn(spec.command, {
shell: true, // No validation
detached: true,
});Security Impact:
- Arbitrary shell command execution via user-controlled input
- CVSS ~8.1 (High)
Recommended Fix:
Use array form of spawn without shell:
child = this.options.spawn(command, args, { shell: false });
// Validate command against allowlist
Security Bug: Shell Command Injection
File:
src/task/runtime/BackgroundTaskRuntime.tslines 100-105Security Impact:
Recommended Fix:
Use array form of spawn without shell: