Skip to content

fix: Improvements on MSRC CLI #15974

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Nitin-100 wants to merge 1 commit into
base: main
Choose a base branch
from
+152 −6
Open

fix: Improvements on MSRC CLI #15974

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 146 additions & 0 deletions MSRC-FIX-DETAILS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
# MSRC Security Fixes — CLI Command/Argument Injection

## Summary
Copy link
Copy Markdown
Member

@vmoroz vmoroz Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove this file


This branch addresses **3 MSRC security incidents** (2 distinct vulnerabilities) in the `react-native-windows` CLI package. Both are injection flaws in `packages/@react-native-windows/cli/src/utils/`.

| IcM | MSRC Case | File | Vulnerability | Severity | Status |
|-----|-----------|------|--------------|----------|--------|
| 580007 | 112511 | `msbuildtools.ts` | Shell command injection via `execSync` | Low (Defense in Depth) | **Fixed** |
| 580112 | 112495 | `winappdeploytool.ts` | Argument injection via `.split(' ')` | Moderate (Tampering) | **Fixed** |
| 580187 | 112540 | `winappdeploytool.ts` | Duplicate of 112495 | Moderate (Tampering) | **Covered by above** |

---

## Fix 1: Shell Command Injection in `cleanProject()` (MSRC 112511)

**File:** `packages/@react-native-windows/cli/src/utils/msbuildtools.ts`
**Function:** `cleanProject()` (Line 47)
**CWE:** CWE-78 (OS Command Injection)

### Root Cause

`cleanProject()` built a shell command string by interpolating `slnFile` into a template literal and executed it with `child_process.execSync()`. Because `execSync()` invokes `cmd.exe` on Windows, shell metacharacters embedded in `slnFile` could trigger arbitrary command execution. The `slnFile` value originates from the `--sln` CLI flag with no sanitization.

### Attack Vector

```
npx react-native run-windows --sln "MyApp.sln\" & calc.exe & echo \""
```

This launches `calc.exe` (or any arbitrary command) with the developer's full privileges during the normal clean step.

### Before (Vulnerable)

```typescript
cleanProject(slnFile: string) {
const cmd = `"${path.join(
this.msbuildPath(),
'msbuild.exe',
)}" "${slnFile}" /t:Clean`;
const results = child_process.execSync(cmd).toString().split(EOL);
results.forEach(result => console.log(chalk.white(result)));
}
```

### After (Fixed)

```typescript
cleanProject(slnFile: string) {
const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
const results = child_process
.execFileSync(msbuild, [slnFile, '/t:Clean'])
.toString()
.split(EOL);
results.forEach(result => console.log(chalk.white(result)));
}
```

### What Changed

- `execSync(cmd)` → `execFileSync(msbuild, [slnFile, '/t:Clean'])`
- `execFileSync` spawns `msbuild.exe` directly without going through `cmd.exe`
- `slnFile` is passed as a discrete argument — shell metacharacters are never interpreted
- Zero behavioral change for legitimate inputs

---

## Fix 2: Argument Injection via `.split(' ')` in `uninstallAppPackage()` (MSRC 112495 / 112540)

**File:** `packages/@react-native-windows/cli/src/utils/winappdeploytool.ts`
**Function:** `uninstallAppPackage()` (Line 150)
**CWE:** CWE-88 (Improper Neutralization of Argument Delimiters)

### Root Cause

`uninstallAppPackage()` built a command string via template literal including the `appName` parameter, then called `.split(' ')` to convert it into an argument array for `spawn()`. This pattern defeats the argument-boundary isolation that `spawn()` provides. If `appName` contains spaces (e.g., from a malicious `AppxManifest.xml` Identity Name), those spaces cause the value to be split into multiple arguments, allowing injection of arbitrary `WinAppDeployCmd.exe` flags.

### Attack Vector

A malicious `AppxManifest.xml`:
```xml
<Identity
Name="LegitApp -install -package \\attacker-share\evil.appx"
Publisher="CN=LegitCorp"
Version="1.0.0.0" />
```

Running `npx react-native run-windows --device` would silently install the attacker's `.appx` package on the target device.

### Before (Vulnerable)

```typescript
await commandWithProgress(
newSpinner(text),
text,
this.path,
`uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
verbose,
'UninstallAppOnDeviceFailure',
);
```

**Note:** The original code also had a bug — `{$targetDevice.ip}` is wrong JavaScript syntax (should be `${targetDevice.ip}`), so the IP address was never actually interpolated.

### After (Fixed)

```typescript
await commandWithProgress(
newSpinner(text),
text,
this.path,
['uninstall', '-package', appName, '-ip', targetDevice.ip],
verbose,
'UninstallAppOnDeviceFailure',
);
```

### What Changed

- Template literal + `.split(' ')` → discrete argument array
- `appName` is now a single atomic entry in the `argv` array regardless of content
- Fixed the `{$targetDevice.ip}` bug → `targetDevice.ip` (now correctly references the device IP)
- Zero behavioral change for legitimate inputs

---

## Regression Risk

**None.** Both fixes change only how arguments are passed to the operating system — from shell-interpreted strings to discrete argument arrays. Functional behavior for all legitimate inputs is identical.

## Testing

- Both files compile cleanly with zero TypeScript errors
- `commandWithProgress` already uses `spawn()` with argument arrays — the fixes align `uninstallAppPackage` with the existing safe pattern used by `installAppPackage` in the same file
- `execFileSync` is a drop-in safe replacement for `execSync` when no shell features are needed

## MSRC Ticket Actions

1. **Acknowledge ownership** on all 3 IcMs
2. **Submit the Product Team Action Plan** (due April 18, 2026) for each IcM with:
- Agreement with MSRC severity assessment
- Fix plan: "Fix in next version"
- Target release: next scheduled release
3. **Post in IcM discussions** referencing this branch and PR
4. **After PR merges and ships:** Resolve each IcM with PR number and release version
5. **IcM 580187:** Note it is a confirmed duplicate of MSRC 112495 / IcM 580112
10 changes: 5 additions & 5 deletions packages/@react-native-windows/cli/src/utils/msbuildtools.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,11 @@ export default class MSBuildTools {
}

cleanProject(slnFile: string) {
const cmd = `"${path.join(
this.msbuildPath(),
'msbuild.exe',
)}" "${slnFile}" /t:Clean`;
const results = child_process.execSync(cmd).toString().split(EOL);
const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
const results = child_process
.execFileSync(msbuild, [slnFile, '/t:Clean'])
.toString()
.split(EOL);
results.forEach(result => console.log(chalk.white(result)));
}

Expand Down
2 changes: 1 addition & 1 deletion packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,7 @@ export default class WinAppDeployTool {
newSpinner(text),
text,
this.path,
`uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
['uninstall', '-package', appName, '-ip', targetDevice.ip],
verbose,
'UninstallAppOnDeviceFailure',
);
Expand Down
Loading