Skip to content

Commit

Permalink
prevent shell command injection
Browse files Browse the repository at this point in the history
switch from cp.exec to cp.spawn to prevent shell command injection.

Use path-expansion logic from nodeZip in nativeZip to maintain feature parity without any vulnerability.
  • Loading branch information
nfriedly committed Sep 2, 2020
1 parent fcea252 commit 45d4a90
Show file tree
Hide file tree
Showing 2 changed files with 798 additions and 127 deletions.
50 changes: 26 additions & 24 deletions lib/bestzip.js
Original file line number Diff line number Diff line change
Expand Up @@ -65,30 +65,32 @@ function walkDir(fullPath) {

const nativeZip = options =>
new Promise((resolve, reject) => {
const sources = Array.isArray(options.source)
? options.source.join(" ")
: options.source;
const command = `zip --quiet --recurse-paths ${
options.destination
} ${sources}`;
const zipProcess = cp.exec(command, {
stdio: "inherit",
cwd: options.cwd
});
zipProcess.on("error", reject);
zipProcess.on("close", exitCode => {
if (exitCode === 0) {
resolve();
} else {
// exit code 12 means "nothing to do" right?
//console.log('rejecting', zipProcess)
reject(
new Error(
`Unexpected exit code from native zip command: ${exitCode}\n executed command '${command}'\n executed inin directory '${options.cwd ||
process.cwd()}'`
)
);
}
const cwd = options.cwd || process.cwd();
const command = "zip";
expandSources(cwd, options.source, (err, sources) => {
const args = ["--quiet", "--recurse-paths", options.destination].concat(
sources
);
const zipProcess = cp.spawn(command, args, {
stdio: "inherit",
cwd
});
zipProcess.on("error", reject);
zipProcess.on("close", exitCode => {
if (exitCode === 0) {
resolve();
} else {
// exit code 12 means "nothing to do" right?
//console.log('rejecting', zipProcess)
reject(
new Error(
`Unexpected exit code from native zip: ${exitCode}\n executed command '${command} ${args.join(
" "
)}'\n executed in directory '${cwd}'`
)
);
}
});
});
});

Expand Down
Loading

0 comments on commit 45d4a90

Please sign in to comment.