Skip to content
Permalink
Browse files Browse the repository at this point in the history
prevent OS commands from being injected
  • Loading branch information
grawk committed Dec 29, 2022
1 parent 0eef7af commit aa271d3
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 2 deletions.
5 changes: 5 additions & 0 deletions index.js
Expand Up @@ -8,6 +8,11 @@ var error = debug('nemo-appium:error');


module.exports.setup = function (apath, nemo, cb) {
// validate apath since we are going to execute it
// should end in appium, and contain no spaces
if (apath.indexOf('appium') !== apath.length - 6 || apath.indexOf(' ') > -1) {
return cb(new Error('Invalid path to appium executable'))
}
var once = function () {
cb.apply(null, arguments);
once = function () {
Expand Down
2 changes: 1 addition & 1 deletion package.json
Expand Up @@ -23,7 +23,7 @@
},
"homepage": "https://github.com/paypal/nemo-appium#readme",
"dependencies": {
"appium-running": "^0.1.3",
"appium-running": "0.1.3",
"debug": "^2.2.0"
}
}
3 changes: 2 additions & 1 deletion test/index.js
@@ -1,10 +1,11 @@
var naPlugin = require('../index');
var nemo = {};
///Users/medelman/.nvm/current/bin/appium
var appiumPath = process.env.APPIUM_PATH;
var appiumPath ='touch HACKED && ~/bin/appium';

naPlugin.setup(appiumPath, nemo, function (err, out) {
if (err) {
console.log('You want to see this error. It means the setup function is validating the appium path for potential OS commands');
return console.error(err);
}
setTimeout(function () {
Expand Down

0 comments on commit aa271d3

Please sign in to comment.