fix(package-manager): prevent CWE-78 OS command injection across all Windows spawn paths

[g0w6y]

Problem

Five locations in Angular CLI concatenated user-controlled arguments
into a raw shell string executed by cmd.exe with shell: true.
Any shell metacharacter (&, |, >, ^) in a crafted package
specifier or --package-manager flag value silently injects and
executes arbitrary OS commands alongside the legitimate process.

File	Injection vector
package-managers/host.ts	ng add <pkg>, ng update
tasks/package-manager/executor.ts	Any schematic NodePackageInstallTask
ssr-dev-server/utils.ts	SSR dev-server process spawn
ssr-dev-server/index.ts	spawnAsObservable with stray shell:true
schematics/angular/workspace/index.ts	ng new --package-manager=<value>

Fix

Windows spawn paths (host.ts, executor.ts, utils.ts):
Replace spawn(\${cmd} ${args.join(' ')}`, { shell: true })with directcmd.exearray invocation usingshell: false`. Node.js
controls argument quoting — metacharacters never reach cmd.exe as
shell operators.

// BEFORE — unsafe
spawn(`${command} ${args.join(' ')}`, { shell: isWin32 })

// AFTER — safe
spawn('cmd.exe', ['/d', '/s', '/c', command, ...args], { shell: false })

ssr-dev-server/index.ts: Remove stray shell: true from the
spawnAsObservable call-site. Platform dispatch is handled inside
utils.ts.

workspace/index.ts: Add ALLOWED_PKG_MANAGERS Set guard before
execSync(\${packageManager} --version`). Only npm, yarn, pnpm, bun, cnpmaccepted — blocks all-platform injection viang new --package-manager`.

Relation to prior work

Follows the fix pattern from #32678 which patched the analogous
repo-init/executor.ts path. This PR closes all five remaining
vulnerable locations.

Verification

grep -rn "args\.join(' ')\|shell: true\|shell: isWin32" \
  packages/angular/cli/src/package-managers/host.ts \
  packages/angular_devkit/schematics/tasks/package-manager/executor.ts \
  packages/angular_devkit/build_angular/src/builders/ssr-dev-server/utils.ts \
  packages/angular_devkit/build_angular/src/builders/ssr-dev-server/index.ts \
  packages/schematics/angular/workspace/index.ts | grep -v "^\s*//"
# Expected: zero output

CWE: CWE-78 — Improper Neutralisation of Special Elements in an OS Command

[gemini-code-assist]

Code Review

This pull request addresses command injection vulnerabilities (CWE-78) by replacing shell-based command execution with direct process spawning. On Windows, the implementation now invokes cmd.exe using array-based arguments and shell:false to prevent metacharacter injection. Additionally, an allowlist for package managers was added to secure execSync calls. The review feedback points out that the escapeArgForWindowsShell function is unused and should be removed to eliminate dead code.

[g0w6y]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses command injection vulnerabilities (CWE-78) by refactoring how child processes are spawned across several packages. Specifically, it replaces the use of shell: true and string concatenation with direct cmd.exe invocations on Windows using argument arrays and shell: false. It also adds an allowlist for package managers in the workspace schematic to prevent arbitrary command execution. Review feedback identifies functional regressions introduced by these changes: since the shell is no longer interpreting the command string, arguments that were previously manually quoted (such as file paths or registry URLs) will now be passed with literal quotes to the underlying process, causing them to fail. These arguments need to be updated to remove manual quoting.

[g0w6y]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses command injection vulnerabilities (CWE-78) by refactoring process spawning logic across several packages. It replaces shell-based execution and string concatenation with array-based arguments and direct cmd.exe invocation on Windows. Additionally, an allowlist for package managers was added to workspace/index.ts to prevent arbitrary command execution. A critical syntax error was identified in executor.ts where the .on() method was incorrectly placed within a ternary operator, which will cause a runtime error.

[g0w6y]

@gemini-code-assist[bot] Thanks for catching the ternary chaining issue — fixed by wrapping the expression in parentheses so .on() attaches correctly to the resulting ChildProcess on both Windows and non-Windows paths.

All previous feedback (dead code + quoting regressions + syntax) has now been resolved.

Ready for human review.

[gemini-code-assist]

Thank you for the update. The fix looks solid, and wrapping the expression in parentheses is the correct approach to ensure the .on() method is correctly attached to the ChildProcess instance. I have reviewed the changes, and they effectively address the CWE-78 vulnerabilities by moving away from shell-based command execution and implementing proper argument handling. This is ready for merge.