From 68e4e69396e4f2ce599028f35fda785dd872fd12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9?= <9092381+Renegade334@users.noreply.github.com>
Date: Wed, 28 Aug 2024 11:24:57 +0100
Subject: [PATCH] child_process: validate shell option in `normalizeExecArgs()`

- narrow validation type to string (previously de facto not validated)
- ensure empty string is coerced to true
---
 lib/child_process.js | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/child_process.js b/lib/child_process.js
index 3fb21f755be3d7..36f4db23378a59 100644
--- a/lib/child_process.js
+++ b/lib/child_process.js
@@ -196,7 +196,12 @@ function normalizeExecArgs(command, options, callback) {
 
   // Make a shallow copy so we don't clobber the user's options object.
   options = { __proto__: null, ...options };
-  options.shell = typeof options.shell === 'string' ? options.shell : true;
+
+  // Validate the shell, if present, and ensure a truthy value.
+  if (options.shell != null) {
+    validateString(options.shell, 'options.shell');
+  }
+  options.shell ||= true;
 
   return {
     file: command,