fix: security vulnerability for cli (windows, mac and linux)

Fixes command line injection issue (https://www.npmjs.com/advisories/952) and applies `npm run prettier:fix` to files.

Author: SteinRobert

src/linux-connect.js

@@ -1,21 +1,23 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 
 function connectToWifi(config, ap, callback) {
-  var commandStr =
-    "nmcli -w 10 device wifi connect '" +
-    ap.ssid +
-    "'" +
-    ' password ' +
-    "'" +
-    ap.password +
-    "'";
+  var args = [];
+  args.push('-w');
+  args.push('10');
+  args.push('device');
+  args.push('wifi');
+  args.push('connect');
+  args.push(ap.ssid);
+  args.push('password');
+  args.push(ap.password);
 
   if (config.iface) {
-    commandStr = commandStr + ' ifname ' + config.iface;
+    args.push('ifname');
+    args.push(config.iface);
   }
 
-  exec(commandStr, { env: env }, function(err, resp) {
+  execFile('nmcli', args, { env: env }, function(err, resp) {
     // Errors from nmcli came from stdout, we test presence of 'Error: ' string
     if (resp.includes('Error: ')) {
       err = new Error(resp.replace('Error: ', ''));

src/linux-current-connections.js

@@ -1,15 +1,24 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var networkUtils = require('./network-utils');
 var env = require('./env');
 
 function getCurrentConnection(config, callback) {
-  var commandStr =
-    'nmcli --terse --fields active,ssid,bssid,mode,chan,freq,signal,security,wpa-flags,rsn-flags,device device wifi';
+  var args = [];
+  args.push('--terse');
+  args.push('--fields');
+  args.push(
+    'active,ssid,bssid,mode,chan,freq,signal,security,wpa-flags,rsn-flags,device'
+  );
+  args.push('device');
+  args.push('wifi');
+
   if (config.iface) {
-    commandStr += ' list ifname ' + config.iface;
+    args.push('list');
+    args.push('ifname');
+    args.push(config.iface);
   }
 
-  exec(commandStr, { env }, function(err, scanResults) {
+  execFile('nmcli', args, { env }, function(err, scanResults) {
     if (err) {
       callback && callback(err);
       return;

src/linux-delete.js

@@ -1,12 +1,15 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 
 function deleteConnection(config, ap, callback) {
-  var commandStr = 'nmcli connection delete id ';
+  var args = [];
+  args.push('connection');
+  args.push('delete');
+  args.push('id');
 
-  commandStr += ' ' + "'" + ap.ssid + "'";
+  args.push(ap.ssid);
 
-  exec(commandStr, env, function(err) {
+  execFile('nmcli', args, env, function(err) {
     callback && callback(err);
   });
 }

src/linux-disconnect.js

@@ -1,14 +1,16 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 
 function disconnect(config, callback) {
-  var commandStr = 'nmcli device disconnect';
+  var args = [];
+  args.push('device');
+  args.push('disconnect');
 
   if (config.iface) {
-    commandStr += ' ' + config.iface;
+    args.push(config.iface);
   }
 
-  exec(commandStr, { env }, function(err) {
+  execFile('nmcli', args, { env }, function(err) {
     callback && callback(err);
   });
 }

src/linux-scan.js

@@ -1,15 +1,24 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var networkUtils = require('./network-utils');
 var env = require('./env');
 
 function scanWifi(config, callback) {
-  var commandStr =
-    'nmcli --terse --fields active,ssid,bssid,mode,chan,freq,signal,security,wpa-flags,rsn-flags device wifi list';
+  var args = [];
+  args.push('--terse');
+  args.push('--fields');
+  args.push(
+    'active,ssid,bssid,mode,chan,freq,signal,security,wpa-flags,rsn-flags'
+  );
+  args.push('device');
+  args.push('wifi');
+  args.push('list');
+
   if (config.iface) {
-    commandStr += ' ifname ' + config.iface;
+    args.push('ifname');
+    args.push(config.iface);
   }
 
-  exec(commandStr, { env }, function(err, scanResults) {
+  execFile('nmcli', args, { env }, function(err, scanResults) {
     if (err) {
       callback && callback(err);
       return;

src/mac-connect.js

@@ -1,31 +1,18 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 
 function connectToWifi(config, ap, callback) {
   var iface = 'en0';
-  var commandStr = 'networksetup -setairportnetwork ';
+  var args = ['-setairportnetwork'];
 
   if (config.iface) {
     iface = config.iface.toString();
   }
+  args.push(iface);
+  args.push(ap.ssid);
+  args.push(ap.password);
 
-  commandStr =
-    commandStr +
-    "'" +
-    iface +
-    "'" +
-    ' ' +
-    "'" +
-    ap.ssid +
-    "'" +
-    ' ' +
-    "'" +
-    ap.password +
-    "'";
-  //console.log(commandStr);
-
-  exec(commandStr, { env }, function(err, resp) {
-    //console.log(stderr, resp);
+  execFile('networksetup', args, { env }, function(err, resp) {
     if (resp && resp.indexOf('Failed to join network') >= 0) {
       callback && callback(resp);
     } else if (resp && resp.indexOf('Could not find network') >= 0) {

src/mac-current-connections.js

@@ -1,4 +1,4 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var macProvider =
   '/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport';
 var env = require('./env');
@@ -48,9 +48,9 @@ function parseAirport(stdout) {
 }
 
 function getCurrentConnections(config, callback) {
-  var commandStr = macProvider + ' --getinfo';
+  var args = ['--getinfo'];
 
-  exec(commandStr, env, function(err, stdout) {
+  execFile(macProvider, args, env, function(err, stdout) {
     if (err) {
       callback && callback(err);
     } else {

src/mac-delete.js

@@ -1,17 +1,18 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 
 function deleteConnection(config, ap, callback) {
   var iface = 'en0';
-  var commandStr = 'networksetup -removepreferredwirelessnetwork ';
+  var args = ['-removepreferredwirelessnetwork'];
 
   if (config.iface) {
     iface = config.iface.toString();
   }
 
-  commandStr = commandStr + "'" + iface + "'" + ' ' + "'" + ap.ssid + "'";
+  args.push(iface);
+  args.push(ap.ssid);
 
-  exec(commandStr, env, function(err, resp) {
+  execFile('networksetup', args, env, function(err, resp) {
     if (
       resp &&
       resp.indexOf('was not found in the preferred networks list') >= 0

src/mac-scan.js

@@ -1,11 +1,11 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var macProvider =
   '/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport';
 var networkUtils = require('./network-utils.js');
 var env = require('./env');
 
 function scanWifi(config, callback) {
-  exec(macProvider + ' -s', { env }, function(err, scanResults) {
+  execFile(macProvider, ['-s'], { env }, function(err, scanResults) {
     if (err) {
       callback && callback(err);
     }

src/windows-connect.js

@@ -1,11 +1,11 @@
 var fs = require('fs');
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 var env = require('./env');
 var scan = require('./windows-scan');
 
-function execCommand(cmd) {
+function execCommand(cmd, params) {
   return new Promise(function(resolve, reject) {
-    exec(cmd, { env }, function(err, stdout, stderr) {
+    execFile(cmd, params, { env }, function(err, stdout, stderr) {
       if (err) {
         // Add command output to error, so it's easier to handle
         err.stdout = stdout;
@@ -36,17 +36,25 @@ function connectToWifi(config, ap, callback) {
       );
     })
     .then(function() {
-      return execCommand(
-        'netsh wlan add profile filename="nodeWifiConnect.xml"'
-      );
+      return execCommand('netsh', [
+        'wlan',
+        'add',
+        'profile',
+        'filename="nodeWifiConnect.xml"'
+      ]);
     })
     .then(function() {
-      var cmd =
-        'netsh wlan connect ssid="' + ap.ssid + '" name="' + ap.ssid + '"';
+      var cmd = 'cmd';
+      var params = [
+        'wlan',
+        'connect',
+        'ssid="' + ap.ssid + '"',
+        'name="' + ap.ssid + '"'
+      ];
       if (config.iface) {
-        cmd += ' interface="' + config.iface + '"';
+        params.push('interface="' + config.iface + '"');
       }
-      return execCommand(cmd);
+      return execCommand(cmd, params);
     })
     .then(function() {
       return execCommand('del ".\\nodeWifiConnect.xml"');
@@ -55,9 +63,14 @@ function connectToWifi(config, ap, callback) {
       callback && callback();
     })
     .catch(function(err) {
-      exec('netsh wlan delete profile "' + ap.ssid + '"', { env }, function() {
-        callback && callback(err);
-      });
+      execFile(
+        'netsh',
+        ['wlan', 'delete', 'profile "' + ap.ssid + '"'],
+        { env },
+        function() {
+          callback && callback(err);
+        }
+      );
     });
 }