Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixes(CVE-2022-25923): resolves command injection security issue
  • Loading branch information
saeedseyfi committed Jan 4, 2023
1 parent 92db00b commit d425866
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 2 deletions.
19 changes: 17 additions & 2 deletions index.js
@@ -1,8 +1,23 @@
const exec = require('child_process').exec;
const fs = require('fs');
const path = require('path');

module.exports = async function (bin, options) {
return new Promise((resolve, reject) => {
const cmd = `${process.cwd()}/node_modules/.bin/${bin}`;
return new Promise(async (resolve, reject) => {
const binDir = `${process.cwd()}/node_modules/.bin`;
const cmd = path.join(binDir, bin);

if (!cmd.startsWith(binDir)) {
reject(new Error(`${cmd} within the expected directory`));
return;
}

try {
await fs.access(cmd, fs.constants.X_OK);
} catch (err) {
reject(new Error(`${cmd} is not accessible: ${err.message}`));
return;
}

console.log(`Running \`${cmd}\``);

Expand Down
6 changes: 6 additions & 0 deletions package.json
Expand Up @@ -3,6 +3,12 @@
"version": "1.1.1",
"description": "Helps you run local node binaries in node",
"main": "index.js",
"files": [
"index.js"
],
"engines": {
"node": "^8.0.0"
},
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
Expand Down

0 comments on commit d425866

Please sign in to comment.