bin: Do not expose filenames to shell expansion

This resolves GHSA-5j98-mcp5-4vw2, with a minimum of breaking changes
for as many users as possible.

First, 'shell: true' is only used on the subprocess if set explicitly by
the user in the command line, and only if it is not a shell where this
can be avoided safely without any reduction in functionality. In this
case, a deprecation warning is printed, telling them that it's unsafe,
and that it will be removed in a future version.

Second, as the only reason for such behavior was to be able to have
commands that include positional arguments in the --cmd/-c value, a new
option --cmd-arg/-g is added, so that users can pass positional
arguments ahead of the file matches, in a way that does not rely on
shell expansion.

Lastly, as a general quality of life improvement which should keep this
entire issue from even mildly inconveniencing most users, when the
command contains space or quote characters (and thus, is likely to
contain positional arguments), AND the `SHELL` environment variable
refers to a shell program with a known way to pass positional arguments
to the child process, then we use that technique, again avoiding shell
expansion of the resolved file paths (or the user command itself). This
applies to sh, ksh, bash, zsh, and fish.

This potentially WILL break workflows, and require updating, if they are
relying on the automatic shell expansion, in systems other than the
known posix shells referenced above. The only likely case that anyone
will thus encounter, is running commands on Windows. While there DOES
appear to be a way to use a similar trick on Windows, but there are so
many more edge cases, I'm not confident I can do so without introducing
more bugs (and potentially more security issues).

If users find that this breakage is too severe, the fix will be to roll
out a subsequent release that turns `--shell` on by default on Windows,
if the command contains space or quote characters.

Nevertheless, v12 of this library will *not* contain a `--shell` option,
and will not run child processes in `shell:true` mode under any
circumstances.

Note: this was simultaneously and independently reported by two
researchers. My sincerest thanks for their time and attention.

Reported-by: @Gyde04 "Babajide Emmanuel Fakile"
Reported-by: @aisle-research "Pavel Kohout (Aisle Research)"
Fix: GHSA-5j98-mcp5-4vw2
Fix: CVE-2025-64756

Author: isaacs

changelog.md

@@ -1,5 +1,17 @@
 # changeglob
 
+## 11.1
+
+[GHSA-5j98-mcp5-4vw2](https://github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)
+
+- Add the `--shell` option for the command line, with a warning
+  that this is unsafe. (It will be removed in v12.)
+- Add the `--cmd-arg`/`-g` as a way to *safely* add positional
+  arguments to the command provided to the CLI tool.
+- Detect commands with space or quote characters on known shells,
+  and pass positional arguments to them safely, avoiding
+  `shell:true` execution.
+
 ## 11.0
 
 - Drop support for node before v20

src/bin.mts

@@ -3,7 +3,7 @@ import { foregroundChild } from 'foreground-child'
 import { existsSync } from 'fs'
 import { jack } from 'jackspeak'
 import { loadPackageJson } from 'package-json-from-dist'
-import { join } from 'path'
+import { basename, join } from 'path'
 import { globStream } from './index.js'
 
 const { version } = loadPackageJson(import.meta.url, '../package.json')
@@ -35,6 +35,50 @@ const j = jack({
                     this pattern`,
     },
   })
+  .flag({
+    shell: {
+      default: false,
+      description: `Interpret the command as a shell command by passing it
+                    to the shell, with all matched filesystem paths appended,
+                    **even if this cannot be done safely**.
+
+                    This is **not** unsafe (and usually unnecessary) when using
+                    the known Unix shells sh, bash, zsh, and fish, as these can
+                    all be executed in such a way as to pass positional
+                    arguments safely.
+
+                    **Note**: THIS IS UNSAFE IF THE FILE PATHS ARE UNTRUSTED,
+                    because a path like \`'some/path/\\$\\(cmd)'\` will be
+                    executed by the shell.
+
+                    If you do have positional arguments that you wish to pass to
+                    the command ahead of the glob pattern matches, use the
+                    \`--cmd-arg\`/\`-g\` option instead.
+
+                    The next major release of glob will fully remove the ability
+                    to use this option unsafely.`,
+    },
+  })
+  .optList({
+    'cmd-arg': {
+      short: 'g',
+      hint: 'arg',
+      default: [],
+      description: `Pass the provided values to the supplied command, ahead of
+                    the glob matches.
+
+                    For example, the command:
+
+                        glob -c echo -g"hello" -g"world" *.txt
+
+                    might output:
+
+                        hello world a.txt b.txt
+
+                    This is a safer (and future-proof) alternative than putting
+                    positional arguments in the \`-c\`/\`--cmd\` option.`,
+    },
+  })
   .flag({
     all: {
       short: 'A',
@@ -227,54 +271,113 @@ const j = jack({
 
 try {
   const { positionals, values } = j.parse()
-  if (values.version) {
+  const {
+    cmd,
+    shell,
+    all,
+    default: def,
+    version: showVersion,
+    help,
+    absolute,
+    cwd,
+    dot,
+
+    'dot-relative': dotRelative,
+    follow,
+    ignore,
+    'match-base': matchBase,
+    'max-depth': maxDepth,
+    mark,
+    nobrace,
+    nocase,
+    nodir,
+    noext,
+    noglobstar,
+    platform,
+    realpath,
+    root,
+    stat,
+    debug,
+    posix,
+    'cmd-arg': cmdArg,
+  } = values
+  if (showVersion) {
     console.log(version)
     process.exit(0)
   }
-  if (values.help) {
+  if (help) {
     console.log(j.usage())
     process.exit(0)
   }
-  if (positionals.length === 0 && !values.default)
-    throw 'No patterns provided'
-  if (positionals.length === 0 && values.default)
-    positionals.push(values.default)
+  //const { shell, help } = values
+  if (positionals.length === 0 && !def) throw 'No patterns provided'
+  if (positionals.length === 0 && def) positionals.push(def)
   const patterns =
-    values.all ? positionals : positionals.filter(p => !existsSync(p))
+    all ? positionals : positionals.filter(p => !existsSync(p))
   const matches =
-    values.all ?
-      []
-    : positionals.filter(p => existsSync(p)).map(p => join(p))
+    all ? [] : positionals.filter(p => existsSync(p)).map(p => join(p))
+
   const stream = globStream(patterns, {
-    absolute: values.absolute,
-    cwd: values.cwd,
-    dot: values.dot,
-    dotRelative: values['dot-relative'],
-    follow: values.follow,
-    ignore: values.ignore,
-    mark: values.mark,
-    matchBase: values['match-base'],
-    maxDepth: values['max-depth'],
-    nobrace: values.nobrace,
-    nocase: values.nocase,
-    nodir: values.nodir,
-    noext: values.noext,
-    noglobstar: values.noglobstar,
-    platform: values.platform as undefined | NodeJS.Platform,
-    realpath: values.realpath,
-    root: values.root,
-    stat: values.stat,
-    debug: values.debug,
-    posix: values.posix,
+    absolute,
+    cwd,
+    dot,
+    dotRelative,
+    follow,
+    ignore,
+    mark,
+    matchBase,
+    maxDepth,
+    nobrace,
+    nocase,
+    nodir,
+    noext,
+    noglobstar,
+    platform: platform as undefined | NodeJS.Platform,
+    realpath,
+    root,
+    stat,
+    debug,
+    posix,
   })
 
-  const cmd = values.cmd
   if (!cmd) {
     matches.forEach(m => console.log(m))
     stream.on('data', f => console.log(f))
   } else {
-    stream.on('data', f => matches.push(f))
-    stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
+    cmdArg.push(...matches)
+    stream.on('data', f => cmdArg.push(f))
+    // Attempt to support commands that contain spaces and otherwise require
+    // shell interpretation, but do NOT shell-interpret the arguments, to avoid
+    // injections via filenames. This affordance can only be done on known Unix
+    // shells, unfortunately.
+    //
+    // 'bash', ['-c', cmd + ' "$@"', 'bash', ...matches]
+    // 'zsh', ['-c', cmd + ' "$@"', 'zsh', ...matches]
+    // 'fish', ['-c', cmd + ' "$argv"', ...matches]
+    const { SHELL = 'unknown' } = process.env
+    const shellBase = basename(SHELL)
+    const knownShells = ['sh', 'ksh', 'zsh', 'bash', 'fish']
+    if (
+      (shell || /[ "']/.test(cmd)) &&
+      knownShells.includes(shellBase)
+    ) {
+      const cmdWithArgs = `${cmd} "\$${shellBase === 'fish' ? 'argv' : '@'}"`
+      if (shellBase !== 'fish') {
+        cmdArg.unshift(SHELL)
+      }
+      cmdArg.unshift('-c', cmdWithArgs)
+      stream.on('end', () => foregroundChild(SHELL, cmdArg))
+    } else {
+      if (shell) {
+        process.emitWarning(
+          'The --shell option is unsafe, and will be removed. To pass ' +
+            'positional arguments to the subprocess, use -g/--cmd-arg instead.',
+          'DeprecationWarning',
+          'GLOB_SHELL',
+        )
+      }
+      stream.on('end', () => foregroundChild(cmd, cmdArg, { shell }))
+    }
   }
 } catch (e) {
   console.error(j.usage())

tap-snapshots/test/bin.ts.test.cjs

@@ -31,6 +31,45 @@ Object {
                              If no positional arguments are provided, glob will use
                              this pattern
     
+      --shell                Interpret the command as a shell command by passing it
+                             to the shell, with all matched filesystem paths
+                             appended,
+                             **even if this cannot be done safely**.
+    
+                             This is **not** unsafe (and usually unnecessary) when
+                             using the known Unix shells sh, bash, zsh, and fish, as
+                             these can all be executed in such a way as to pass
+                             positional arguments safely.
+    
+                             **Note**: THIS IS UNSAFE IF THE FILE PATHS ARE
+                             UNTRUSTED, because a path like \`'some/path/\\\\$\\\\(cmd)'\`
+                             will be executed by the shell.
+    
+                             If you do have positional arguments that you wish to
+                             pass to the command ahead of the glob pattern matches,
+                             use the \`--cmd-arg\`/\`-g\` option instead.
+    
+                             The next major release of glob will fully remove the
+                             ability to use this option unsafely.
+    
+      -g<arg> --cmd-arg=<arg>
+                             Pass the provided values to the supplied command, ahead
+                             of the glob matches.
+    
+                             For example, the command:
+    
+                             glob -c echo -g"hello" -g"world" *.txt
+    
+                             might output:
+    
+                             hello world a.txt b.txt
+    
+                             This is a safer (and future-proof) alternative than
+                             putting positional arguments in the \`-c\`/\`--cmd\`
+                             option.
+    
+                             Can be set multiple times
+    
       -A --all               By default, the glob cli command will not expand any
                              arguments that are an exact match to a file on disk.