From c4b8adebdde4408663564270fd0292169fd3d5e5 Mon Sep 17 00:00:00 2001
From: Mikael Brevik <mikaelbre@gmail.com>
Date: Thu, 11 Mar 2021 19:57:09 +0100
Subject: [PATCH] patch: fixes possible injection issue for notify-send

---
 lib/utils.js        |  4 +++-
 test/notify-send.js | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/lib/utils.js b/lib/utils.js
index 7c75f29..ed5ce23 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -285,7 +285,9 @@ module.exports.constructArgumentList = function(options, extra) {
   };
 
   initial.forEach(function(val) {
-    args.push(escapeFn(val));
+    if (typeof val === 'string') {
+      args.push(escapeFn(val));
+    }
   });
   for (var key in options) {
     if (
diff --git a/test/notify-send.js b/test/notify-send.js
index c06fa4a..aad1364 100644
--- a/test/notify-send.js
+++ b/test/notify-send.js
@@ -71,6 +71,17 @@ describe('notify-send', function() {
     notifier.notify({ title: 'title', message: 'body', icon: 'icon-string' });
   });
 
+  it('should only include strings as arguments', function(done) {
+    var expected = ['"HACKED"'];
+
+    expectArgsListToBe(expected, done);
+    var notifier = new Notify({ suppressOsdCheck: true });
+    var options = JSON.parse(
+      '{"title":"HACKED", "message":["`touch HACKED`"]}'
+    );
+    notifier.notify(options);
+  });
+
   it('should remove extra options that are not supported by notify-send', function(done) {
     var expected = [
       '"title"',