diff --git a/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json b/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json new file mode 100644 index 00000000000..1bf851f10b2 --- /dev/null +++ b/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json @@ -0,0 +1,7 @@ +{ + "type": "prerelease", + "comment": "Fix command injection in cleanProject() (CWE-78) and argument injection in uninstallAppPackage() (CWE-88)", + "packageName": "@react-native-windows/cli", + "email": "nitchaudhary@microsoft.com", + "dependentChangeType": "patch" +} diff --git a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts index b4cae081f1f..479fbed6974 100644 --- a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts +++ b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts @@ -45,11 +45,11 @@ export default class MSBuildTools { } cleanProject(slnFile: string) { - const cmd = `"${path.join( - this.msbuildPath(), - 'msbuild.exe', - )}" "${slnFile}" /t:Clean`; - const results = child_process.execSync(cmd).toString().split(EOL); + const msbuild = path.join(this.msbuildPath(), 'msbuild.exe'); + const results = child_process + .execFileSync(msbuild, [slnFile, '/t:Clean']) + .toString() + .split(EOL); results.forEach(result => console.log(chalk.white(result))); } diff --git a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts index 4ba83172700..b2cbeb526f4 100644 --- a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts +++ b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts @@ -157,7 +157,7 @@ export default class WinAppDeployTool { newSpinner(text), text, this.path, - `uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '), + ['uninstall', '-package', appName, '-ip', targetDevice.ip], verbose, 'UninstallAppOnDeviceFailure', );