Ensure spawning of child processes are not susceptible to prototype pollution

[watson]

While there's currently no known prototype pollution gadget in Kibana, if one is found, it might be possible to perform RCE via the child processes being spawned.

Therefore, it's prudent that we harden this attack vector before someone finds a way to utilize it.

We can mitigate this our selves inside of Kibana by ensuring that the arguments passed to the spawn function (and friends) are properly sanitized, eg:

const options = Object.create(null)
options.env = Object.assign(Object.create(null), process.env)
spawn(command, options)

Preferably we should also fix this in Node.js core, so it's harder to fall victim to this sort of attack. I've created a PR to deal with this in Node.js core: nodejs/node#30008

See also the related Node.js core PR to harden process.env in general: nodejs/node#30063

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[kobelb]

I previously looked into using eslint to restrict usages of child_process.exec because:

Never pass unsanitized user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command execution.

However, in my brief exploration I was unable to find a way to restrict this method specifically. We can lint for any code which relies on child_process itself, or any method named exec, but not child_process.exec.

I haven't had the chance to see whether using https://github.com/typescript-eslint/typescript-eslint, which I believe replaces the deprecated tslint project, would allow us to do so.

Otherwise, I feel like we're stuck either monkey-patching away the problematic functions and throwing errors, or blocking modules entirely and requiring the use of our "safe" versions... I don't like any of these options :)