fix(editor): execute oxc.path.server in win32 with shell, when its the node_module binary

Sysix · Sysix · commit 385c4cb454b1 · 2025-09-28T15:21:57.000Z
diff --git a/editors/vscode/client/PathValidator.ts b/editors/vscode/client/PathValidator.ts
@@ -8,7 +8,7 @@
  *
  * The check for malicious characters is not needed, but it's an additional layer of security.
  * When using `shell: true` in `LanguageClient.ServerOptions`, it can be vulnerable to command injection.
- * Even though we are not using `shell: true`, it's a good practice to validate the input.
+ * We are using `shell: true` only on Windows when the paths ends with `node_modules/.bin/oxc_language_server`.
  */
 export function validateSafeBinaryPath(binary: string): boolean {
   // Check for path traversal (including Windows variants)
diff --git a/editors/vscode/client/extension.ts b/editors/vscode/client/extension.ts
@@ -137,8 +137,7 @@ export async function activate(context: ExtensionContext) {
     outputChannel,
   );
 
-  async function findBinary(): Promise<string> {
-    let bin = configService.getUserServerBinPath();
+  async function findBinary(bin: string | undefined): Promise<string> {
     if (workspace.isTrusted && bin) {
       try {
         await fsPromises.access(bin);
@@ -155,10 +154,20 @@ export async function activate(context: ExtensionContext) {
     );
   }
 
-  const command = await findBinary();
+  const userDefinedBinary = configService.getUserServerBinPath();
+  const command = await findBinary(userDefinedBinary);
   const run: Executable = {
     command: command!,
     options: {
+      // On Windows we need to run the binary in a shell to be able to execute the shell npm bin script.
+      // This is only needed when the user explicitly configures the binary to point to the npm bin script.
+      // The extension is shipped with the `.exe` file, we don't need to run it in a shell.
+      // Searching for the right `.exe` file inside `node_modules/` is not reliable as it depends on
+      // the package manager used (npm, yarn, pnpm, etc) and the package version.
+      // The npm bin script is a shell script that points to the actual binary.
+      // Security: We validated the userDefinedBinary in `configService.getUserServerBinPath()`.
+      shell: process.platform === 'win32' && command === userDefinedBinary &&
+        userDefinedBinary?.endsWith('node_modules\\.bin\\oxc_language_server'),
       env: {
         ...process.env,
         RUST_LOG: process.env.RUST_LOG || 'info',

Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,7 @@`
`8`	`8`	`*`
`9`	`9`	`* The check for malicious characters is not needed, but it's an additional layer of security.`
`10`	`10`	* When using `shell: true` in `LanguageClient.ServerOptions`, it can be vulnerable to command injection.
`11`		- * Even though we are not using `shell: true`, it's a good practice to validate the input.
	`11`	+ * We are using `shell: true` only on Windows when the paths ends with `node_modules/.bin/oxc_language_server`.
`12`	`12`	`*/`
`13`	`13`	`export function validateSafeBinaryPath(binary: string): boolean {`
`14`	`14`	`// Check for path traversal (including Windows variants)`