From 680c6c191832359a2cbe9ee6bf68918f4ee255ea Mon Sep 17 00:00:00 2001
From: Venkatesan <68438061+VenkatKwest@users.noreply.github.com>
Date: Wed, 4 Mar 2026 16:13:03 +0530
Subject: [PATCH] refactor(@angular-devkit/schematics): remove shell usage in
 git spawn to prevent command injection

Git is a native executable on Windows and does not require shell: true. Switch to array-based spawn and separate the -m flag from the commit message to prevent command injection via crafted commit messages.
---
 .../angular_devkit/schematics/tasks/repo-init/executor.ts    | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/packages/angular_devkit/schematics/tasks/repo-init/executor.ts b/packages/angular_devkit/schematics/tasks/repo-init/executor.ts
index 97b2b12a3619..607e1bfc5cba 100644
--- a/packages/angular_devkit/schematics/tasks/repo-init/executor.ts
+++ b/packages/angular_devkit/schematics/tasks/repo-init/executor.ts
@@ -29,7 +29,6 @@ export default function (
       const errorStream = ignoreErrorStream ? 'ignore' : process.stderr;
       const spawnOptions: SpawnOptions = {
         stdio: [process.stdin, outputStream, errorStream],
-        shell: true,
         cwd: path.join(rootDirectory, options.workingDirectory || ''),
         env: {
           ...process.env,
@@ -41,7 +40,7 @@ export default function (
       };
 
       return new Promise<void>((resolve, reject) => {
-        spawn(`git ${args.join(' ')}`, spawnOptions).on('close', (code: number) => {
+        spawn('git', args, spawnOptions).on('close', (code: number) => {
           if (code === 0) {
             resolve();
           } else {
@@ -82,7 +81,7 @@ export default function (
       if (options.commit) {
         const message = options.message || 'initial commit';
 
-        await execute(['commit', `-m "${message}"`]);
+        await execute(['commit', '-m', message]);
       }
 
       context.logger.info('Successfully initialized git.');