Sanitize input from env nodes in devenvs

Fixes #841
pkgxdev · Nov 18, 2023 · eebd966 · eebd966
1 parent e441d0c
commit eebd966
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 3 deletions.
diff --git a/src/utils/devenv.test.ts b/src/utils/devenv.test.ts
@@ -1,5 +1,5 @@
 // deno-lint-ignore-file require-await
-import { assert, assertEquals, assertRejects } from "deno/assert/mod.ts"
+import { assert, assertEquals, assertRejects, assertThrows } from "deno/assert/mod.ts"
 import specimen, { _internals } from "./devenv.ts"
 import * as mock from "deno/testing/mock.ts"
 import { fixturesd } from "./test-utils.ts"
@@ -187,4 +187,14 @@ Deno.test("devenv.ts", async runner => {
   } finally {
     stub.restore()
   }
+
+  await runner.step("validateDollarSignUsage", () => {
+    assertThrows(() => _internals.validateDollarSignUsage("foo $(bar) baz"))
+    assertThrows(() => _internals.validateDollarSignUsage("foo $123 baz"))
+
+    _internals.validateDollarSignUsage("foo $bar baz")
+    _internals.validateDollarSignUsage("foo $BAR baz")
+    _internals.validateDollarSignUsage("foo $B0AR baz")
+    _internals.validateDollarSignUsage("foo z${FOO}s baz")
+  })
 })
diff --git a/src/utils/devenv.ts b/src/utils/devenv.ts
@@ -313,11 +313,34 @@ export default async function(dir: Path) {
         { from: "srcroot", to: dir.string }  //TODO deprecate and use $PWD once pantry is migrated
       ]
 
-      return moustaches.apply(input, foo)
+      const out = moustaches.apply(input, foo)
+      _internals.validateDollarSignUsage(out)
+      return out
     }
   }
 }
 
+function validateDollarSignUsage(str: string): void {
+  let currentIndex = 0;
+
+  while ((currentIndex = str.indexOf('$', currentIndex)) !== -1) {
+      const substring = str.substring(currentIndex);
+
+      // Check for ${FOO} format
+      const isValidCurlyFormat = /^\$\{[A-Za-z_][A-Za-z0-9_]*\}/.test(substring);
+      // Check for $FOO format
+      const isValidDirectFormat = /^\$[A-Za-z_][A-Za-z0-9_]*/.test(substring);
+
+      if (!isValidCurlyFormat && !isValidDirectFormat) {
+          throw new Error("Invalid dollar sign usage detected.");
+      }
+
+      // Move past this $ instance
+      currentIndex++;
+  }
+}
+
+
 /// YAML-FM must be explicitly marked with a `dependencies` node
 async function extract_well_formatted_entries(yaml: PlainObject): Promise<{ deps: PackageRequirement[], env: Record<string, unknown> }> {
   const deps = await parse_deps(yaml.dependencies)
@@ -360,5 +383,6 @@ async function parse_deps(node: unknown) {
 }
 
 export const _internals = {
-  find: parse_pkg_str
+  find: parse_pkg_str,
+  validateDollarSignUsage
 }