[Security] Add command safety check to execCommand

.jules/sentinel.md

@@ -0,0 +1,4 @@
+## 2026-05-03 - [Security] Add command safety check to execCommand
+**Vulnerability:** Execution of unsecure binaries found in the current directory (binary planting) when using `execCommand`.
+**Learning:** Core utility functions for command execution should consistently apply safety checks to prevent PATH-hijacking-like attacks in the current working directory.
+**Prevention:** Always use `parseCommand` and `checkCommandSafety` in command execution wrappers to validate the binary location before invoking execution libraries like `execa`.

packages/cli-kit/src/public/node/system.test.ts

@@ -266,6 +266,17 @@ describe('execCommand', () => {
     // Then
     expect(execaCommand).toHaveBeenCalledWith('cat', expect.objectContaining({stdin: 'inherit'}))
   })
+
+  test('raises an error if the command to run is found in the current directory', async () => {
+    // Given
+    vi.mocked(which.sync).mockReturnValueOnce('/currentDirectory/command')
+
+    // When
+    const got = system.execCommand('command', {cwd: '/currentDirectory'})
+
+    // Then
+    await expect(got).rejects.toThrowError('Skipped run of unsecure binary command found in the current directory.')
+  })
 })
 
 describe('isStdinPiped', () => {

packages/cli-kit/src/public/node/system.ts

@@ -206,6 +206,10 @@ export async function execCommand(command: string, options?: ExecOptions): Promi
     env.FORCE_COLOR = '1'
   }
   const executionCwd = options?.cwd ?? cwd()
+  const [cmd] = parseCommand(command)
+  if (cmd) {
+    checkCommandSafety(cmd, {cwd: executionCwd})
+  }
   try {
     await execaCommand(command, {
       env,