Skip to content

Commit 5108446

Browse files
author
jammy
committed
fix command injection vulnerability
1 parent e6eea8e commit 5108446

File tree

2 files changed

+10
-17
lines changed

2 files changed

+10
-17
lines changed

Diff for: example/index.js

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ oneByOne([
1616
}
1717
, cb => {
1818
console.log("> Created README.md");
19-
myRepo.exec("add .", cb);
19+
myRepo.exec(['add', '.'], cb);
2020
}
2121
, cb => {
2222
console.log("> Added the files.");

Diff for: lib/index.js

+9-16
Original file line numberDiff line numberDiff line change
@@ -52,29 +52,22 @@ class Gry {
5252
* @return {Gry} The `Gry` instance.
5353
*/
5454
exec (command, args, callback) {
55-
5655
var eargs = [];
5756
if (typeof args === "function") {
5857
callback = args;
5958
args = null;
6059
}
6160

62-
// Handle spawn
63-
if (Array.isArray(args)) {
64-
eargs.push("git", [command].concat(args));
65-
} else {
66-
eargs.push("git " + command.trim());
67-
}
68-
6961
eargs.push({ cwd: this.cwd });
7062

7163
// Add the callback function
7264
eargs.push((err, stdout) => {
7365
if (err) { return callback(err); }
7466
callback(null, stdout.trimRight());
7567
});
68+
console.log({command, eargs, callback})
7669

77-
el.add.apply(el, eargs);
70+
el.add('git', command, eargs[0], eargs[1]);
7871
return this;
7972
}
8073

@@ -88,7 +81,7 @@ class Gry {
8881
* @return {Gry} The `Gry` instance.
8982
*/
9083
init (callback) {
91-
return this.exec("init", callback);
84+
return this.exec(['init'], callback);
9285
}
9386

9487
/**
@@ -128,7 +121,7 @@ class Gry {
128121
callback = options;
129122
options = "";
130123
}
131-
return this.exec("commit -m \"" + message + "\" " + options, callback)
124+
return this.exec(['commit', '-m', message, ...options.split(' ').filter(a => a)], callback)
132125
}
133126

134127
/**
@@ -146,7 +139,7 @@ class Gry {
146139
callback = options;
147140
options = "";
148141
}
149-
return this.exec("pull " + options, callback);
142+
return this.exec(['pull', ...options.split(' ')], callback);
150143
}
151144

152145
/**
@@ -164,7 +157,7 @@ class Gry {
164157
callback = options;
165158
options = ".";
166159
}
167-
return this.exec("add " + options, callback);
160+
return this.exec(['add', ...options.split(' ')], callback);
168161
}
169162

170163
/**
@@ -182,7 +175,7 @@ class Gry {
182175
callback = options;
183176
options = "";
184177
}
185-
return this.exec("branch " + options, callback);
178+
return this.exec(['branch', ...options.split(' ')], callback);
186179
}
187180

188181
/**
@@ -200,7 +193,7 @@ class Gry {
200193
callback = options;
201194
options = "";
202195
}
203-
return this.exec("checkout " + options, callback);
196+
return this.exec(['checkout', ...options.split(' ')], callback);
204197
}
205198

206199
/**
@@ -219,7 +212,7 @@ class Gry {
219212
callback = options;
220213
options = "";
221214
}
222-
return this.exec("clone " + gitUrl + " " + options, callback);
215+
return this.exec(['clone', gitUrl, ...options.split(' ')], callback);
223216
}
224217
}
225218

0 commit comments

Comments
 (0)