Skip to content

refactor(benchmark): use shell: false and quote args in benchmark-compare workflow#68136

Open
herdiyana256 wants to merge 1 commit intoangular:mainfrom
herdiyana256:fix/benchmark-shell-injection-v2
Open

refactor(benchmark): use shell: false and quote args in benchmark-compare workflow#68136
herdiyana256 wants to merge 1 commit intoangular:mainfrom
herdiyana256:fix/benchmark-shell-injection-v2

Conversation

@herdiyana256
Copy link
Copy Markdown

@herdiyana256 herdiyana256 commented Apr 10, 2026

Currently, the exec() utility in scripts/benchmarks/utils.mts uses childProcess.spawn() with shell: true. This causes the OS shell to interpret the entire command string, including any arguments, so that special characters within an argument value could alter the intended behavior of the command.

This commit changes the spawn option to shell: false (the Node.js default). With this setting, cmd and args are passed directly to the OS, so each argument is treated as a literal string. Special characters within argument values are not interpreted by any shell.

Additionally, the benchmarkTarget step output in .github/workflows/benchmark-compare.yml is now quoted to prevent unintended word-splitting in the shell run step.

Files changed:

  • scripts/benchmarks/utils.mts: Changed shell: true to shell: false, updated JSDoc.
    • .github/workflows/benchmark-compare.yml: Quoted the benchmarkTarget output variable.

@pullapprove pullapprove bot requested a review from josephperrott April 10, 2026 23:34
@google-cla
Copy link
Copy Markdown

google-cla bot commented Apr 10, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@herdiyana256
refactor(benchmark): use shell: false and quote args in benchmark-com…
18c437c 
…pare workflow

Replace `shell: true` with `shell: false` in the `exec()` utility function to
ensure that command arguments are passed directly to the spawned process without
shell interpretation. This prevents shell metacharacters in any argument value
from being evaluated as shell commands.

Additionally, quote the benchmarkTarget step output reference in the
benchmark-compare workflow to prevent word-splitting when the value contains
spaces or other special characters.
@herdiyana256 herdiyana256 force-pushed the fix/benchmark-shell-injection-v2 branch from cc04fb1 to 18c437c Compare April 10, 2026 23:46
@google-cla google-cla bot added cla: yes and removed cla: no labels Apr 10, 2026
@kirjs kirjs added the area: dev-infra Issues related to Angular's own dev infra (build, test, CI, releasing) label Apr 13, 2026
@ngbot ngbot bot added this to the Backlog milestone Apr 13, 2026
josephperrott
josephperrott approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@josephperrott josephperrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@josephperrott josephperrott josephperrott approved these changes

Assignees

No one assigned

Labels

area: dev-infra Issues related to Angular's own dev infra (build, test, CI, releasing) cla: yes

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

4 participants

@herdiyana256 @josephperrott @JeanMeche @kirjs