fix(core): fix execSync

Plain text values are able to escape from the JSON string and break it. If we're going to move a string value we should escape it for now. Later we should just return two different array buffers for {stdout,stderr}
socketsupply · Apr 6, 2024 · c3fe2c8 · c3fe2c8
1 parent e83dd19
commit c3fe2c8
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 13 deletions.
diff --git a/api/child_process.js b/api/child_process.js
@@ -659,7 +659,7 @@ export function execSync (command, options) {
       code: typeof code === 'string' ? code : null,
       signal: errorSignal || null,
       status: Number.isFinite(code) ? code : null,
-      output: [null, stdout.join('\n'), stderr.join('\n')]
+      output: [null, stdout, stderr]
     })
 
     // @ts-ignore
@@ -673,9 +673,9 @@ export function execSync (command, options) {
     throw error
   }
 
-  const output = options?.encoding === 'utf8'
-    ? stdout.join('\n')
-    : Buffer.from(stdout.join('\n'))
+  const output = stdout && options?.encoding === 'utf8'
+    ? stdout
+    : Buffer.from(stdout)
 
   return output
 }

diff --git a/src/core/child_process.cc b/src/core/child_process.cc
@@ -73,16 +73,16 @@ namespace SSC {
       const auto command = args.size() > 0 ? args.at(0) : String("");
       const auto argv = join(args.size() > 1 ? Vector<String>{ args.begin() + 1, args.end() } : Vector<String>{}, " ");
 
-      auto stdoutBuffer = new JSON::Array{};
-      auto stderrBuffer = new JSON::Array{};
+      StringStream* stdoutBuffer = new StringStream;
+      StringStream* stderrBuffer = new StringStream;
 
       const auto onStdout = [=](const String& output) mutable {
         if (!options.allowStdout || output.size() == 0) {
           return;
         }
 
         if (stdoutBuffer != nullptr) {
-          stdoutBuffer->push(output);
+          *stdoutBuffer << String(output);
         }
       };
 
@@ -92,7 +92,7 @@ namespace SSC {
         }
 
         if (stderrBuffer != nullptr) {
-          stderrBuffer->push(output);
+          *stderrBuffer << String(output);
         }
       };
 
@@ -112,8 +112,8 @@ namespace SSC {
               {"data", JSON::Object::Entries {
                 {"id", std::to_string(id)},
                 {"pid", std::to_string(pid)},
-                {"stdout", *stdoutBuffer},
-                {"stderr", *stderrBuffer},
+                {"stdout", encodeURIComponent(stdoutBuffer->str())},
+                {"stderr", encodeURIComponent(stderrBuffer->str())},
                 {"code", code}
               }}
             };
@@ -156,8 +156,8 @@ namespace SSC {
             {"err", JSON::Object::Entries {
               {"id", std::to_string(id)},
               {"pid", std::to_string(pid)},
-              {"stdout", *stdoutBuffer},
-              {"stderr", *stderrBuffer},
+              {"stdout", encodeURIComponent(stdoutBuffer->str())},
+              {"stderr", encodeURIComponent(stderrBuffer->str())},
               {"code", "ETIMEDOUT"}
             }}
           };

diff --git a/src/ipc/bridge.cc b/src/ipc/bridge.cc
@@ -404,7 +404,7 @@ static void initRouterTable (Router *router) {
 
     if (args.size() == 0 || args.at(0).size() == 0) {
       auto json = JSON::Object::Entries {
-        {"source", "child_process.spawn"},
+        {"source", "child_process.exec"},
         {"err", JSON::Object::Entries {
           {"message", "Spawn requires at least one argument with a length greater than zero"},
         }}