fix command injection vulnerability

IonicaBizau · Apr 3, 2020 · 5108446 · 5108446
1 parent e6eea8e
commit 5108446
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 17 deletions.
diff --git a/example/index.js b/example/index.js
@@ -16,7 +16,7 @@ oneByOne([
     }
   , cb => {
         console.log("> Created README.md");
-        myRepo.exec("add .", cb);
+        myRepo.exec(['add', '.'], cb);
     }
   , cb => {
         console.log("> Added the files.");

diff --git a/lib/index.js b/lib/index.js
@@ -52,29 +52,22 @@ class Gry {
      * @return {Gry} The `Gry` instance.
      */
     exec (command, args, callback) {
-
         var eargs = [];
         if (typeof args === "function") {
             callback = args;
             args = null;
         }
 
-        // Handle spawn
-        if (Array.isArray(args)) {
-            eargs.push("git", [command].concat(args));
-        } else {
-            eargs.push("git " + command.trim());
-        }
-
         eargs.push({ cwd: this.cwd });
 
         // Add the callback function
         eargs.push((err, stdout) => {
             if (err) { return callback(err); }
             callback(null, stdout.trimRight());
         });
+        console.log({command, eargs, callback})
 
-        el.add.apply(el, eargs);
+        el.add('git', command, eargs[0], eargs[1]);
         return this;
     }
 
@@ -88,7 +81,7 @@ class Gry {
      * @return {Gry} The `Gry` instance.
      */
     init (callback) {
-        return this.exec("init", callback);
+        return this.exec(['init'], callback);
     }
 
     /**
@@ -128,7 +121,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("commit -m \"" + message + "\" " + options, callback)
+        return this.exec(['commit', '-m', message, ...options.split(' ').filter(a => a)], callback)
     }
 
     /**
@@ -146,7 +139,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("pull " + options, callback);
+        return this.exec(['pull', ...options.split(' ')], callback);
     }
 
     /**
@@ -164,7 +157,7 @@ class Gry {
             callback = options;
             options = ".";
         }
-        return this.exec("add " + options, callback);
+        return this.exec(['add', ...options.split(' ')], callback);
     }
 
     /**
@@ -182,7 +175,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("branch " + options, callback);
+        return this.exec(['branch', ...options.split(' ')], callback);
     }
 
     /**
@@ -200,7 +193,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("checkout " + options, callback);
+        return this.exec(['checkout', ...options.split(' ')], callback);
     }
 
     /**
@@ -219,7 +212,7 @@ class Gry {
             callback = options;
             options = "";
         }
-        return this.exec("clone " + gitUrl + " " + options, callback);
+        return this.exec(['clone', gitUrl, ...options.split(' ')], callback);
     }
 }