Skip to content

fix: resolve MSRC command/argument injection vulnerabilities in CLI#15974

Open
Nitin-100 wants to merge 1 commit intomicrosoft:mainfrom
Nitin-100:nitinc/msrc-cli-injection-fixes
Open

fix: resolve MSRC command/argument injection vulnerabilities in CLI#15974
Nitin-100 wants to merge 1 commit intomicrosoft:mainfrom
Nitin-100:nitinc/msrc-cli-injection-fixes

Conversation

@Nitin-100
Copy link
Copy Markdown
Contributor

@Nitin-100 Nitin-100 commented Apr 9, 2026
edited by vineethkuttan
Loading

fix: resolve MSRC command/argument injection vulnerabilities in CLI
9b372e2 
- MSRC 112511: Replace execSync with execFileSync in msbuildtools.ts cleanProject()
  to prevent shell command injection via slnFile parameter (CWE-78)
- MSRC 112495/112540: Replace .split(' ') anti-pattern with discrete argument array
  in winappdeploytool.ts uninstallAppPackage() to prevent argument injection via
  appName parameter (CWE-88)
- Also fixes {.ip} syntax bug (was never interpolating the IP address)
@Nitin-100 Nitin-100 requested a review from a team as a code owner April 9, 2026 07:35
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

Performance Test Results

Branch: nitinc/msrc-cli-injection-fixes
Commit: 78dfbe12
Time: 2026-04-09T08:01:35.243Z
Tests: 161/161 passed

✅ Passed

161 scenario(s) across 28 suite(s) — no regressions

SectionList

Scenario Mean Median StdDev Renders vs Baseline
SectionList mount 5.00ms 5.00ms ±1.70ms 1 +0.0%
SectionList unmount 0.30ms 0.00ms ±0.48ms 0 +0.0%
SectionList rerender 11.90ms 12.00ms ±1.52ms 2 +14.3%
SectionList with-3-sections-15-items 6.70ms 7.00ms ±1.64ms 1 +27.3%
SectionList with-5-sections-50-items 6.90ms 6.00ms ±1.85ms 1 +0.0%
SectionList with-10-sections-200-items 5.60ms 5.50ms ±0.70ms 1 +0.0%
SectionList with-20-sections-200-items 5.20ms 5.00ms ±2.10ms 1 +0.0%
SectionList with-section-separator 1.90ms 2.00ms ±0.57ms 1 +0.0%
SectionList with-item-separator 3.30ms 3.00ms ±1.83ms 1 +50.0%
SectionList with-header-footer 2.30ms 2.00ms ±0.67ms 1 +0.0%
SectionList with-section-footer 3.10ms 2.50ms ±2.51ms 1 +25.0%
SectionList with-sticky-section-headers 1.60ms 1.50ms ±0.70ms 1 -25.0%
SectionList with-empty-list 0.50ms 0.50ms ±0.53ms 1 -50.0%
SectionList with-50-sections-1000-items 2.30ms 2.00ms ±1.70ms 1 +0.0%

FlatList

Scenario Mean Median StdDev Renders vs Baseline
FlatList mount 5.10ms 5.00ms ±1.29ms 1 +25.0%
FlatList unmount 0.30ms 0.00ms ±0.48ms 0 +0.0%
FlatList rerender 11.70ms 10.50ms ±3.06ms 2 +16.7%
FlatList with-10-items 5.60ms 5.00ms ±1.07ms 1 +25.0%
FlatList with-100-items 5.30ms 5.00ms ±0.82ms 1 +0.0%
FlatList with-500-items 5.40ms 5.00ms ±1.65ms 1 +25.0%
FlatList with-1000-items 4.10ms 4.00ms ±0.57ms 1 +0.0%
FlatList horizontal 4.50ms 5.00ms ±0.97ms 1 +0.0%
FlatList with-separator 2.30ms 2.00ms ±1.49ms 1 +0.0%
FlatList with-header-footer 1.90ms 2.00ms ±0.74ms 1 +0.0%
FlatList with-empty-list 0.60ms 1.00ms ±0.52ms 1 +100.0%
FlatList with-get-item-layout 3.10ms 3.00ms ±2.18ms 1 +200.0%
FlatList inverted 1.60ms 2.00ms ±0.52ms 1 +33.3%
FlatList with-num-columns 3.80ms 3.00ms ±1.75ms 1 +0.0%

TouchableOpacity

Scenario Mean Median StdDev Renders vs Baseline
TouchableOpacity mount 0.70ms 1.00ms ±0.67ms 1 +0.0%
TouchableOpacity unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
TouchableOpacity rerender 1.70ms 2.00ms ±0.48ms 2 +100.0%
TouchableOpacity custom-active-opacity 0.80ms 1.00ms ±0.42ms 1 +0.0%
TouchableOpacity disabled 1.30ms 1.00ms ±1.70ms 1 +0.0%
TouchableOpacity with-all-handlers 0.80ms 1.00ms ±0.42ms 1 +0.0%
TouchableOpacity with-hit-slop 0.90ms 1.00ms ±0.32ms 1 +0.0%
TouchableOpacity with-delay 0.80ms 1.00ms ±0.42ms 1 +0.0%
TouchableOpacity nested 1.50ms 1.50ms ±0.53ms 1 +50.0%
TouchableOpacity multiple-10 7.40ms 8.00ms ±2.06ms 1 +33.3%
TouchableOpacity multiple-50 32.40ms 32.00ms ±7.42ms 1 +10.3%
TouchableOpacity multiple-100 51.07ms 50.00ms ±11.96ms 1 +0.0%

ScrollView

Scenario Mean Median StdDev Renders vs Baseline
ScrollView mount 0.50ms 0.50ms ±0.53ms 1 +Infinity%
ScrollView unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
ScrollView rerender 0.60ms 1.00ms ±0.52ms 2 +0.0%
ScrollView children-20 3.47ms 3.00ms ±1.68ms 1 -25.0%
ScrollView children-100 18.07ms 18.00ms ±3.45ms 1 +12.5%
ScrollView horizontal 3.30ms 3.00ms ±0.82ms 1 -25.0%
ScrollView sticky-headers 2.90ms 3.00ms ±0.88ms 1 +0.0%
ScrollView scroll-indicators 1.00ms 1.00ms ±0.47ms 1 +0.0%
ScrollView nested 2.10ms 2.00ms ±0.32ms 1 +100.0%
ScrollView content-container-style 0.90ms 1.00ms ±0.32ms 1 +0.0%
ScrollView children-500 22.87ms 23.00ms ±4.02ms 1 +21.1%

TouchableHighlight

Scenario Mean Median StdDev Renders vs Baseline
TouchableHighlight mount 0.20ms 0.00ms ±0.42ms 1 -100.0%
TouchableHighlight unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
TouchableHighlight rerender 0.70ms 0.50ms ±0.82ms 2 -50.0%
TouchableHighlight custom-underlay-color 0.70ms 1.00ms ±0.67ms 1 +Infinity%
TouchableHighlight custom-active-opacity 0.70ms 1.00ms ±0.48ms 1 +Infinity%
TouchableHighlight disabled 0.60ms 1.00ms ±0.52ms 1 +Infinity%
TouchableHighlight with-all-handlers 0.50ms 0.50ms ±0.53ms 1 +Infinity%
TouchableHighlight with-hit-slop 0.30ms 0.00ms ±0.48ms 1 +0.0%
TouchableHighlight nested-touchables 1.00ms 1.00ms ±0.00ms 1 +0.0%
TouchableHighlight multiple-touchables-10 3.60ms 3.00ms ±1.07ms 1 +0.0%
TouchableHighlight multiple-touchables-50 16.30ms 16.50ms ±2.79ms 1 +32.0%
TouchableHighlight multiple-touchables-100 30.60ms 27.50ms ±10.75ms 1 +22.2%

Pressable

Scenario Mean Median StdDev Renders vs Baseline
Pressable mount 0.60ms 1.00ms ±0.52ms 1 +Infinity%
Pressable unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Pressable rerender 0.70ms 1.00ms ±0.48ms 2 +100.0%
Pressable with-all-handlers 0.60ms 1.00ms ±0.52ms 1 +Infinity%
Pressable with-style-function 0.50ms 0.50ms ±0.53ms 1 +Infinity%
Pressable disabled 0.50ms 0.50ms ±0.53ms 1 +Infinity%
Pressable with-hit-slop 0.30ms 0.00ms ±0.48ms 1 +0.0%
Pressable nested 0.80ms 1.00ms ±0.42ms 1 +0.0%
Pressable multiple-10 3.73ms 4.00ms ±0.70ms 1 +33.3%
Pressable multiple-50 18.93ms 18.00ms ±3.69ms 1 +28.6%
Pressable multiple-100 18.53ms 11.00ms ±12.24ms 1 -8.3%

Modal

Scenario Mean Median StdDev Renders vs Baseline
Modal mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
Modal unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
Modal rerender 0.50ms 0.50ms ±0.53ms 2 +Infinity%
Modal slide-animation 0.40ms 0.00ms ±0.52ms 1 +0.0%
Modal fade-animation 0.40ms 0.00ms ±0.52ms 1 +0.0%
Modal transparent 0.30ms 0.00ms ±0.48ms 1 +0.0%
Modal with-callbacks 0.40ms 0.00ms ±0.52ms 1 +0.0%
Modal rich-content 1.60ms 2.00ms ±0.52ms 1 +0.0%
Modal with-accessibility 0.40ms 0.00ms ±0.52ms 1 +0.0%

Image

Scenario Mean Median StdDev Renders vs Baseline
Image mount 0.00ms 0.00ms ±0.00ms 1 +0.0%
Image unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
Image rerender 0.20ms 0.00ms ±0.42ms 2 +0.0%
Image with-resize-mode 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image with-border-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image with-tint-color 0.10ms 0.00ms ±0.32ms 1 +0.0%
Image with-blur-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
Image with-accessibility 0.30ms 0.00ms ±0.48ms 1 +0.0%
Image multiple-10 1.00ms 1.00ms ±0.00ms 1 +0.0%
Image multiple-50 4.27ms 4.00ms ±0.88ms 1 +33.3%
Image multiple-100 9.93ms 10.00ms ±2.40ms 1 +25.0%

ActivityIndicator

Scenario Mean Median StdDev Renders vs Baseline
ActivityIndicator mount 0.10ms 0.00ms ±0.32ms 1 +0.0%
ActivityIndicator unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
ActivityIndicator rerender 0.60ms 0.00ms ±1.58ms 2 +0.0%
ActivityIndicator size-large 0.00ms 0.00ms ±0.00ms 1 +0.0%
ActivityIndicator size-small 0.20ms 0.00ms ±0.42ms 1 +0.0%
ActivityIndicator with-color 0.00ms 0.00ms ±0.00ms 1 +0.0%
ActivityIndicator not-animating 0.20ms 0.00ms ±0.42ms 1 +0.0%
ActivityIndicator with-accessibility 0.20ms 0.00ms ±0.42ms 1 +0.0%
ActivityIndicator multiple-10 0.87ms 1.00ms ±0.52ms 1 +0.0%
ActivityIndicator multiple-50 3.80ms 4.00ms ±0.68ms 1 +0.0%
ActivityIndicator multiple-100 9.53ms 9.00ms ±2.03ms 1 +28.6%

Switch

Scenario Mean Median StdDev Renders vs Baseline
Switch mount 0.10ms 0.00ms ±0.32ms 1 +0.0%
Switch unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
Switch rerender 0.30ms 0.00ms ±0.48ms 2 -100.0%
Switch value-true 0.20ms 0.00ms ±0.42ms 1 +0.0%
Switch disabled 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch custom-colors 0.20ms 0.00ms ±0.42ms 1 +0.0%
Switch on-value-change 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch with-accessibility 0.30ms 0.00ms ±0.48ms 1 +0.0%
Switch multiple-10 1.73ms 2.00ms ±0.59ms 1 +0.0%
Switch multiple-50 11.20ms 10.00ms ±3.49ms 1 +11.1%
Switch multiple-100 31.47ms 20.00ms ±30.01ms 1 +25.0%

Button

Scenario Mean Median StdDev Renders vs Baseline
Button mount 0.70ms 1.00ms ±0.48ms 1 +0.0%
Button unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
Button rerender 0.90ms 1.00ms ±0.32ms 2 +0.0%
Button disabled 0.80ms 1.00ms ±0.42ms 1 +0.0%
Button with-color 0.70ms 1.00ms ±0.48ms 1 +100.0%
Button with-accessibility 0.60ms 1.00ms ±0.52ms 1 +0.0%
Button multiple-10 6.67ms 6.00ms ±2.02ms 1 +0.0%
Button multiple-50 24.87ms 27.00ms ±9.91ms 1 +0.0%
Button multiple-100 19.80ms 18.00ms ±6.49ms 1 -5.3%

TextInput

Scenario Mean Median StdDev Renders vs Baseline
TextInput mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
TextInput unmount 0.10ms 0.00ms ±0.32ms 0 +0.0%
TextInput rerender 0.40ms 0.00ms ±0.52ms 2 +0.0%
TextInput multiline 0.10ms 0.00ms ±0.32ms 1 +0.0%
TextInput with-value 0.10ms 0.00ms ±0.32ms 1 +0.0%
TextInput styled 0.20ms 0.00ms ±0.42ms 1 +0.0%
TextInput multiple-100 9.40ms 8.00ms ±2.56ms 1 +14.3%

View

Scenario Mean Median StdDev Renders vs Baseline
View mount 0.10ms 0.00ms ±0.32ms 1 +0.0%
View unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
View rerender 0.20ms 0.00ms ±0.42ms 2 +0.0%
View nested-50 4.13ms 4.00ms ±1.68ms 1 +33.3%
View nested-100 9.33ms 9.00ms ±1.99ms 1 +28.6%
View shadow 0.10ms 0.00ms ±0.32ms 1 +0.0%
View border-radius 0.20ms 0.00ms ±0.42ms 1 +0.0%
View nested-500 18.07ms 11.00ms ±14.49ms 1 +10.0%

Text

Scenario Mean Median StdDev Renders vs Baseline
Text mount 0.30ms 0.00ms ±0.48ms 1 +0.0%
Text unmount 0.00ms 0.00ms ±0.00ms 0 +0.0%
Text rerender 0.20ms 0.00ms ±0.42ms 2 +0.0%
Text long-1000 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text nested 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text styled 0.20ms 0.00ms ±0.42ms 1 +0.0%
Text multiple-100 10.60ms 9.00ms ±3.96ms 1 +28.6%

SectionList.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
SectionList native mount 7.43ms 6.99ms ±1.46ms 1 +7.5%

FlatList.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
FlatList native mount 7.21ms 7.21ms ±1.04ms 1 -21.9%

TouchableHighlight.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TouchableHighlight native mount 1.96ms 1.85ms ±0.26ms 1 -11.5%

TouchableOpacity.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TouchableOpacity native mount 2.42ms 2.28ms ±0.42ms 1 -27.4%

Pressable.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Pressable native mount 1.99ms 1.92ms ±0.21ms 1 -23.4%

ScrollView.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
ScrollView native mount 4.35ms 4.30ms ±0.55ms 1 +6.3%

ActivityIndicator.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
ActivityIndicator native mount 1.86ms 1.74ms ±0.32ms 1 -30.1%

TextInput.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
TextInput native mount 2.64ms 2.50ms ±0.45ms 1 -38.8%

Switch.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Switch native mount 1.70ms 1.62ms ±0.17ms 1 -6.7%

Button.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Button native mount 2.32ms 2.19ms ±0.31ms 1 -16.0%

Modal.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Modal native mount 1.37ms 1.28ms ±0.20ms 1 +5.1%

Image.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Image native mount 2.13ms 2.07ms ±0.28ms 1 -8.4%

View.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
View native mount 1.59ms 1.41ms ±0.50ms 1 -1.5%

Text.native-perf-test.ts

Scenario Mean Median StdDev Renders vs Baseline
Text native mount 1.71ms 1.61ms ±0.22ms 1 -7.3%

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Nitin-100