Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: prevent binary planting attacks on Windows
  • Loading branch information
zkochan committed Sep 16, 2021
1 parent 6a46bed commit 04b7f60
Show file tree
Hide file tree
Showing 22 changed files with 125 additions and 82 deletions.
10 changes: 10 additions & 0 deletions .changeset/sweet-insects-carry.md
@@ -0,0 +1,10 @@
---
"@pnpm/filter-workspace-packages": patch
"@pnpm/git-fetcher": patch
"@pnpm/git-resolver": patch
"@pnpm/plugin-commands-publishing": patch
"@pnpm/plugin-commands-script-runners": patch
"@pnpm/plugin-commands-setup": patch
---

Use safe-execa instead of execa to prevent binary planting attacks on Windows.
2 changes: 1 addition & 1 deletion packages/beta/package.json
Expand Up @@ -18,7 +18,7 @@
},
"devDependencies": {
"@zkochan/pkg": "0.0.0-2",
"execa": "^5.0.0"
"execa": "npm:safe-execa@^0.1.1"
},
"funding": "https://opencollective.com/pnpm",
"homepage": "https://github.com/pnpm/pnpm/blob/master/packages/beta#readme",
Expand Down
2 changes: 1 addition & 1 deletion packages/beta/scripts/build-artifacts.ts
@@ -1,4 +1,4 @@
import execa from 'execa'
import * as execa from 'execa'
import path from 'path'

function build (target: string) {
Expand Down
2 changes: 1 addition & 1 deletion packages/filter-workspace-packages/package.json
Expand Up @@ -31,7 +31,7 @@
"@pnpm/error": "workspace:2.0.0",
"@pnpm/find-workspace-packages": "workspace:3.1.13",
"@pnpm/matcher": "workspace:2.0.0",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"find-up": "^5.0.0",
"is-subdir": "^1.1.1",
"micromatch": "^4.0.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/git-fetcher/package.json
Expand Up @@ -32,7 +32,7 @@
"@pnpm/fetcher-base": "workspace:11.0.3",
"@pnpm/prepare-package": "workspace:1.0.3",
"@zkochan/rimraf": "^2.1.1",
"execa": "^5.0.0"
"execa": "npm:safe-execa@^0.1.1"
},
"devDependencies": {
"@pnpm/cafs": "workspace:3.0.7",
Expand Down
2 changes: 1 addition & 1 deletion packages/git-resolver/package.json
Expand Up @@ -33,7 +33,7 @@
"dependencies": {
"@pnpm/fetch": "workspace:4.1.1",
"@pnpm/resolver-base": "workspace:8.0.4",
"graceful-git": "^3.0.2",
"graceful-git": "^3.1.2",
"hosted-git-info": "npm:@zkochan/hosted-git-info@^4.0.2",
"semver": "^7.3.4"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-env/package.json
Expand Up @@ -50,7 +50,7 @@
"devDependencies": {
"@pnpm/prepare": "workspace:0.0.26",
"@types/adm-zip": "^0.4.34",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"path-name": "^1.0.0"
}
}
2 changes: 1 addition & 1 deletion packages/plugin-commands-env/test/env.test.ts
Expand Up @@ -3,7 +3,7 @@ import path from 'path'
import PnpmError from '@pnpm/error'
import { tempDir } from '@pnpm/prepare'
import { env } from '@pnpm/plugin-commands-env'
import execa from 'execa'
import * as execa from 'execa'
import PATH from 'path-name'

test('install Node (and npm, npx) by exact version of Node.js', async () => {
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-listing/package.json
Expand Up @@ -37,7 +37,7 @@
"@pnpm/plugin-commands-installation": "workspace:6.1.0",
"@pnpm/prepare": "workspace:0.0.26",
"@types/ramda": "0.27.39",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"strip-ansi": "^6.0.0",
"write-yaml-file": "^4.2.0"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-publishing/package.json
Expand Up @@ -43,7 +43,6 @@
"@types/sinon": "^9.0.11",
"@types/tar": "^4.0.5",
"cross-spawn": "^7.0.3",
"execa": "^5.0.0",
"is-ci": "^3.0.0",
"is-windows": "^1.0.2",
"load-json-file": "^6.2.0",
Expand All @@ -67,6 +66,7 @@
"@pnpm/types": "workspace:7.4.0",
"@zkochan/rimraf": "^2.1.1",
"enquirer": "^2.3.6",
"execa": "npm:safe-execa@^0.1.1",
"fast-glob": "^3.2.4",
"npm-packlist": "^2.2.2",
"p-filter": "^2.1.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-rebuild/package.json
Expand Up @@ -39,7 +39,7 @@
"@types/ramda": "0.27.39",
"@types/semver": "^7.3.4",
"@types/sinon": "^9.0.11",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"path-exists": "^4.0.0",
"sinon": "^11.1.1",
"write-yaml-file": "^4.2.0"
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-script-runners/package.json
Expand Up @@ -37,7 +37,6 @@
"@pnpm/prepare": "workspace:0.0.26",
"@types/ramda": "0.27.39",
"@zkochan/rimraf": "^2.1.1",
"execa": "^5.0.0",
"is-windows": "^1.0.2",
"write-yaml-file": "^4.2.0"
},
Expand All @@ -52,6 +51,7 @@
"@pnpm/sort-packages": "workspace:2.1.1",
"@pnpm/store-path": "^5.0.0",
"@pnpm/types": "workspace:7.4.0",
"execa": "npm:safe-execa@^0.1.1",
"p-limit": "^3.1.0",
"path-exists": "^4.0.0",
"path-name": "^1.0.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-script-runners/test/dlx.ts
Expand Up @@ -5,7 +5,7 @@ import { prepareEmpty } from '@pnpm/prepare'
test('dlx', async () => {
prepareEmpty()

await dlx.handler({}, ['touch', 'foo'])
await dlx.handler({}, ['shx', 'touch', 'foo'])

expect(fs.existsSync('foo')).toBeTruthy()
})
Expand Down
18 changes: 9 additions & 9 deletions packages/plugin-commands-script-runners/test/runRecursive.ts
Expand Up @@ -58,7 +58,7 @@ test('pnpm recursive run', async () => {
])

const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -130,7 +130,7 @@ test('pnpm recursive run reversed', async () => {
])

const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -182,7 +182,7 @@ test('pnpm recursive run concurrently', async () => {
])

const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -234,7 +234,7 @@ test('`pnpm recursive run` fails when run without filters and no package has the
])

const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -352,7 +352,7 @@ test('`pnpm recursive run` succeeds when run against a subset of packages and no
])

const { allProjects } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -409,7 +409,7 @@ test('"pnpm run --filter <pkg>" without specifying the script name', async () =>
])

const { allProjects } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -511,7 +511,7 @@ test('testing the bail config with "pnpm recursive run"', async () => {
])

const { allProjects, selectedProjectsGraph } = await readProjects(process.cwd(), [])
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -592,7 +592,7 @@ test('pnpm recursive run with filtering', async () => {
[{ namePattern: 'project-1' }],
{ workspaceDir: process.cwd() }
)
await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down Expand Up @@ -629,7 +629,7 @@ test('`pnpm recursive run` should always trust the scripts', async () => {
},
])

await execa('pnpm', [
await execa(pnpmBin, [
'install',
'-r',
'--registry',
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-setup/package.json
Expand Up @@ -30,7 +30,7 @@
"homepage": "https://github.com/pnpm/pnpm/blob/master/packages/plugin-commands-setup#readme",
"dependencies": {
"@pnpm/cli-utils": "workspace:0.6.21",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"render-help": "^1.0.1"
},
"funding": "https://opencollective.com/pnpm",
Expand Down
2 changes: 1 addition & 1 deletion packages/plugin-commands-store/package.json
Expand Up @@ -41,7 +41,7 @@
"@types/sinon": "^9.0.11",
"@types/ssri": "^7.1.0",
"@zkochan/rimraf": "^2.1.1",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"load-json-file": "^6.2.0",
"path-exists": "^4.0.0",
"sinon": "^11.1.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/pnpm/package.json
Expand Up @@ -79,7 +79,7 @@
"delay": "^5.0.0",
"dir-is-case-sensitive": "^2.0.0",
"esbuild": "^0.12.0",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"exists-link": "2.0.0",
"is-ci": "^3.0.0",
"is-windows": "^1.0.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/prepare-package/package.json
Expand Up @@ -29,7 +29,7 @@
"dependencies": {
"@pnpm/read-package-json": "workspace:5.0.4",
"@zkochan/rimraf": "^2.1.1",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"preferred-pm": "^3.0.3"
},
"funding": "https://opencollective.com/pnpm"
Expand Down
2 changes: 1 addition & 1 deletion packages/supi/package.json
Expand Up @@ -85,7 +85,7 @@
"cross-spawn": "^7.0.3",
"deep-require-cwd": "1.0.0",
"dir-is-case-sensitive": "^2.0.0",
"execa": "^5.0.0",
"execa": "npm:safe-execa@^0.1.1",
"exists-link": "2.0.0",
"is-ci": "^3.0.0",
"is-windows": "^1.0.2",
Expand Down

0 comments on commit 04b7f60

Please sign in to comment.