Merge pull request from GHSA-49q3-8867-5wmp

fix: Escape shell string
reg-viz · Jun 8, 2021 · f84ad9c · f84ad9c
2 parents 1c1a933 + 7fb0c71
commit f84ad9c
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/packages/reg-keygen-git-hash-plugin/package.json b/packages/reg-keygen-git-hash-plugin/package.json
@@ -23,10 +23,12 @@
   "repository": "git+https://github.com/reg-viz/reg-suit.git",
   "license": "MIT",
   "dependencies": {
-    "reg-suit-util": "^0.10.15"
+    "reg-suit-util": "^0.10.15",
+    "shell-escape": "^0.2.0"
   },
   "devDependencies": {
     "@types/jest": "26.0.23",
+    "@types/shell-escape": "0.2.0",
     "glob": "7.1.6",
     "jest": "26.6.3",
     "reg-suit-interface": "^0.10.15",

diff --git a/packages/reg-keygen-git-hash-plugin/src/git-cmd-client.ts b/packages/reg-keygen-git-hash-plugin/src/git-cmd-client.ts
@@ -1,4 +1,5 @@
 import { execSync } from "child_process";
+import shellEscape from "shell-escape";
 
 export class GitCmdClient {
   private _revParseHash: { [key: string]: string } = {};
@@ -19,22 +20,22 @@ export class GitCmdClient {
   }
 
   containedBranches(hash: string): string {
-    return execSync(`git branch -a --contains ${hash}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "branch", "-a", "--contains", hash]), { encoding: "utf8" });
   }
 
   logTime(hash: string) {
-    return execSync(`git log --pretty=%ci -n 1 ${hash}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "log", "--pretty=%ci", "-n", "1", hash]), { encoding: "utf8" });
   }
 
   logBetween(a: string, b: string) {
-    return execSync(`git log --oneline ${a}..${b}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "log", "--oneline", `${a}..${b}`]), { encoding: "utf8" });
   }
 
   logGraph() {
     return execSync('git log -n 300 --graph --pretty=format:"%h %p"', { encoding: "utf8" });
   }
 
   mergeBase(a: string, b: string) {
-    return execSync(`git merge-base -a ${a} ${b}`, { encoding: "utf8" });
+    return execSync(shellEscape(["git", "merge-base", "-a", a, b]), { encoding: "utf8" });
   }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -1760,6 +1760,11 @@
     "@types/tough-cookie" "*"
     form-data "^2.5.0"
 
+"@types/shell-escape@0.2.0":
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/@types/shell-escape/-/shell-escape-0.2.0.tgz#cd2f0df814388599dd07196dcc510de2669d1ed2"
+  integrity sha512-7kUdtJtUylvyISJbe9FMcvMTjRdP0EvNDO1WbT0lT22k/IPBiPRTpmWaKu5HTWLCGLQRWVHrzVHZktTDvvR23g==
+
 "@types/sinon@10.0.2":
   version "10.0.2"
   resolved "https://registry.yarnpkg.com/@types/sinon/-/sinon-10.0.2.tgz#f360d2f189c0fd433d14aeb97b9d705d7e4cc0e4"
@@ -8073,6 +8078,11 @@ shebang-regex@^3.0.0:
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-3.0.0.tgz#ae16f1644d873ecad843b0307b143362d4c42172"
   integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==
 
+shell-escape@^0.2.0:
+  version "0.2.0"
+  resolved "https://registry.yarnpkg.com/shell-escape/-/shell-escape-0.2.0.tgz#68fd025eb0490b4f567a027f0bf22480b5f84133"
+  integrity sha1-aP0CXrBJC09WegJ/C/IkgLX4QTM=
+
 shell-quote@^1.6.1:
   version "1.7.1"
   resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.7.1.tgz#3161d969886fb14f9140c65245a5dd19b6f0b06b"