Merge pull request from GHSA-8xwp-r7pj-cgw3

Fix vulnerability in npm command
asdfugil · Mar 25, 2020 · d7dc875 · d7dc875
2 parents 0de06fd + f8e040a
commit d7dc875
Showing 1 changed file with 7 additions and 12 deletions.
diff --git a/commands/npm.js b/commands/npm.js
@@ -1,6 +1,8 @@
 require('dotenv').config()
 const { exec } = require("child_process");
 const { RichEmbed, Message } = require("discord.js");
+const { escape } = require("querystring")
+const fetch = require("node-fetch")
 module.exports = {
   name: "npm",
   args: true,
@@ -21,11 +23,8 @@ module.exports = {
         )}...`,
       { disableEveryone: true }
     );
-    exec(
-      `npm search ${args.join(" ").replace(/\n/g, " ")} -json -l`,
-      async (er, so, se) => {
-        if (so) {
-          const res = JSON.parse(so).map(
+    const response = await fetch("https://www.npmjs.com/search/suggestions?q=" + escape(args.join(" "))).then(r => r.json())
+       const res = response.map(
             (x, index) => `${index + 1}. ${x.name}`
           );
           message.channel
@@ -42,9 +41,9 @@ module.exports = {
                 )
                 .on("collect", msg => {
                   const choice = parseInt(msg.content) - 1;
-                  if (!JSON.parse(so)[choice])
+                  if (!response[choice])
                     return message.reply("out of range.");
-                  const result = JSON.parse(so)[choice];
+                  const result = response[choice];
                   const embed = new RichEmbed()
                     .setColor("#ff0000")
                     .setTitle(result.name)
@@ -86,10 +85,6 @@ module.exports = {
                   message.channel.send(embed);
                 });
             });
+            message.channel.stopTyping();
         }
-        if (se) await message.channel.send(se, { code: "xl", split: true });
-        message.channel.stopTyping();
-      }
-    );
   }
-};