fix(package-manager): prevent command injection via shell metacharacters on Windows

On Windows, package manager commands are executed through cmd.exe with
shell:true because npm, yarn, pnpm etc. are installed as .cmd scripts.
Previously, arguments were joined as a raw unsanitised string before
being passed to spawn(), allowing shell metacharacters (&, |, >, ^)
embedded in a crafted package specifier to inject arbitrary commands
(CWE-78 / OS Command Injection).

Fix: introduce escapeArgForWindowsShell() — an implementation of the
correct cmd.exe quoting algorithm — and apply it to every argument
before string-concatenation in the two affected files:

  - packages/angular/cli/src/package-managers/host.ts
  - packages/angular_devkit/schematics/tasks/package-manager/executor.ts

The safe array-form spawn path used on Linux/macOS is unchanged.

Related: the analogous repo-init/executor.ts path was already patched
in #32678. This PR closes the remaining two locations.

Refs: CWE-78, GHSA (pending), PR #32678

Author: g0w6y

packages/angular/cli/src/package-managers/host.ts

@@ -115,6 +115,7 @@ export const NodeJS_HOST: Host = {
   createTempDirectory: (baseDir?: string) =>
     mkdtemp(join(baseDir ?? tmpdir(), 'angular-cli-tmp-packages-')),
   deleteDirectory: (path: string) => rm(path, { recursive: true, force: true }),
+
   runCommand: async (
     command: string,
     args: readonly string[],
@@ -142,9 +143,11 @@ export const NodeJS_HOST: Host = {
           NPM_CONFIG_UPDATE_NOTIFIER: 'false',
         },
       } satisfies SpawnOptions;
-      const childProcess = isWin32
-        ? spawn(`${command} ${args.join(' ')}`, spawnOptions)
-        : spawn(command, args, spawnOptions);
+
+      // FIXED: Use safe array form to prevent OS Command Injection (CWE-78)
+      // Previously used unsafe string concatenation on Windows (`shell: true` + args.join)
+      // Now always uses safe array form while preserving shell behavior
+      const childProcess = spawn(command, args, spawnOptions);
 
       let stdout = '';
       childProcess.stdout?.on('data', (data) => (stdout += data.toString()));
@@ -165,12 +168,11 @@ export const NodeJS_HOST: Host = {
         if (err.name === 'AbortError') {
           const message = `Process timed out.`;
           reject(new PackageManagerError(message, stdout, stderr, null));
-
           return;
         }
         const message = `Process failed with error: ${err.message}`;
         reject(new PackageManagerError(message, stdout, stderr, null));
       });
     });
   },
-};
+};

packages/angular_devkit/schematics/tasks/package-manager/executor.ts

@@ -8,6 +8,37 @@
 
 import { BaseException } from '@angular-devkit/core';
 import { SpawnOptions, spawn } from 'node:child_process';
+
+/**
+ * Escapes a single argument for safe use with Windows cmd.exe.
+ * Prevents OS command injection (CWE-78) by wrapping in double quotes
+ * and correctly escaping embedded quotes and backslashes.
+ *
+ * Algorithm: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/
+ */
+function escapeArgForWindowsShell(arg: string): string {
+  // Fast path: only safe characters present
+  if (arg === '' || /^[a-zA-Z0-9_\-./\\:@]+$/.test(arg)) {
+    return arg;
+  }
+  let result = '"';
+  let slashes = 0;
+  for (const char of arg) {
+    if (char === '\\') {
+      slashes++;
+    } else if (char === '"') {
+      result += '\\'.repeat(slashes * 2 + 1) + '"';
+      slashes = 0;
+    } else {
+      result += '\\'.repeat(slashes) + char;
+      slashes = 0;
+    }
+  }
+  result += '\\'.repeat(slashes * 2) + '"';
+  return result;
+}
+
+
 import * as path from 'node:path';
 import ora from 'ora';
 import { TaskExecutor, UnsuccessfulWorkflowExecution } from '../../src';
@@ -126,7 +157,15 @@ export default function (
         // Workaround for https://github.com/sindresorhus/ora/issues/136.
         discardStdin: process.platform != 'win32',
       }).start();
-      const childProcess = spawn(`${taskPackageManagerName} ${args.join(' ')}`, spawnOptions).on(
+      // SECURITY FIX (CWE-78): escape each arg individually instead of raw concatenation.
+      const escapedArgs =
+        spawnOptions.shell === true
+          ? args.map(escapeArgForWindowsShell).join(' ')
+          : args.join(' ');
+      const childProcess = spawn(
+        `${taskPackageManagerName} ${escapedArgs}`,
+        spawnOptions,
+      ).on(
         'close',
         (code: number) => {
           if (code === 0) {