From 07c5a74a1ab4acaf3cf9e10b80806df359d600b6 Mon Sep 17 00:00:00 2001 From: Justin Steven Date: Fri, 2 Oct 2020 17:21:51 +1000 Subject: [PATCH 1/2] Fix a bypass for CVE-2020-16881 Fixes #107951 Uses child_process.execFile() rather than child_process.exec() to more effectively resolve the command injection vulnerability. --- extensions/npm/src/features/packageJSONContribution.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/extensions/npm/src/features/packageJSONContribution.ts b/extensions/npm/src/features/packageJSONContribution.ts index f154a8752391a..7103ce1fa1a81 100644 --- a/extensions/npm/src/features/packageJSONContribution.ts +++ b/extensions/npm/src/features/packageJSONContribution.ts @@ -282,8 +282,8 @@ export class PackageJSONContribution implements IJSONContribution { private npmView(pack: string): Promise { return new Promise((resolve, _reject) => { - const command = 'npm view --json ' + pack + ' description dist-tags.latest homepage version'; - cp.exec(command, (error, stdout) => { + const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version']; + cp.execFile('npm', args, (error, stdout) => { if (!error) { try { const content = JSON.parse(stdout); From 1f5fad95ef2de6cd2e013566f88bea5182aa483c Mon Sep 17 00:00:00 2001 From: Martin Aeschlimann Date: Fri, 2 Oct 2020 17:26:56 +0200 Subject: [PATCH 2/2] bunp version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 1a578fc5e99bc..9b5ee0f876303 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "code-oss-dev", - "version": "1.49.2", + "version": "1.49.3", "distro": "97bd451b684ef610d9752cf941451085fc6e0d91", "author": { "name": "Microsoft Corporation"