fix(lib): fixed command injection vulnerability according to Issue #60

History.md

@@ -1,4 +1,9 @@
 
+1.9.3 / 2016-09-05
+==================
+
+  * fixed command injection vulnerability
+
 1.7.0 / 2012-12-30 
 ==================
 

lib/growl.js

@@ -9,7 +9,7 @@ var exec = require('child_process').exec
   , path = require('path')
   , exists = fs.existsSync || path.existsSync
   , os = require('os')
-  , quote = JSON.stringify
+  , shellescape = require('shell-escape')
   , cmd;
 
 function which(name) {
@@ -127,7 +127,7 @@ exports = module.exports = growl;
  * Node-growl version.
  */
 
-exports.version = '1.4.1'
+exports.version = '1.9.3'
 
 /**
  * Send growl notification _msg_ with _options_.
@@ -189,18 +189,18 @@ function growl(msg, options, fn) {
         flag = flag || /^png|gif|jpe?g$/.test(ext) && 'image'
         flag = flag || ext && (image = ext) && 'icon'
         flag = flag || 'icon'
-        args.push('--' + flag, quote(image))
+        args.push('--' + flag, image)
         break;
       case 'Darwin-NotificationCenter':
-        args.push(cmd.icon, quote(image));
+        args.push(cmd.icon, image);
         break;
       case 'Linux':
-        args.push(cmd.icon, quote(image));
+        args.push(cmd.icon, image);
         // libnotify defaults to sticky, set a hint for transient notifications
         if (!options.sticky) args.push('--hint=int:transient:1');
         break;
       case 'Windows':
-        args.push(cmd.icon + quote(image));
+        args.push(cmd.icon + image);
         break;
     }
   }
@@ -230,61 +230,61 @@ function growl(msg, options, fn) {
   switch(cmd.type) {
     case 'Darwin-Growl':
       args.push(cmd.msg);
-      args.push(quote(msg).replace(/\\n/g, '\n'));
-      if (options.title) args.push(quote(options.title));
+      args.push(msg.replace(/\\n/g, '\n'));
+      if (options.title) args.push(options.title);
       break;
     case 'Darwin-NotificationCenter':
       args.push(cmd.msg);
-      var stringifiedMsg = quote(msg);
+      var stringifiedMsg = msg;
       var escapedMsg = stringifiedMsg.replace(/\\n/g, '\n');
       args.push(escapedMsg);
       if (options.title) {
         args.push(cmd.title);
-        args.push(quote(options.title));
+        args.push(options.title);
       }
       if (options.subtitle) {
         args.push(cmd.subtitle);
-        args.push(quote(options.subtitle));
+        args.push(options.subtitle);
       }
       if (options.url) {
         args.push(cmd.url);
-        args.push(quote(options.url));
+        args.push(options.url);
       }
       break;
     case 'Linux-Growl':
       args.push(cmd.msg);
-      args.push(quote(msg).replace(/\\n/g, '\n'));
-      if (options.title) args.push(quote(options.title));
+      args.push(msg.replace(/\\n/g, '\n'));
+      if (options.title) args.push(options.title);
       if (cmd.host) {
         args.push(cmd.host.cmd, cmd.host.hostname)
       }
       break;
     case 'Linux':
       if (options.title) {
-        args.push(quote(options.title));
+        args.push(options.title);
         args.push(cmd.msg);
-        args.push(quote(msg).replace(/\\n/g, '\n'));
+        args.push(msg.replace(/\\n/g, '\n'));
       } else {
-        args.push(quote(msg).replace(/\\n/g, '\n'));
+        args.push(msg.replace(/\\n/g, '\n'));
       }
       break;
     case 'Windows':
-      args.push(quote(msg).replace(/\\n/g, '\n'));
-      if (options.title) args.push(cmd.title + quote(options.title));
-      if (options.url) args.push(cmd.url + quote(options.url));
+      args.push(msg.replace(/\\n/g, '\n'));
+      if (options.title) args.push(cmd.title + options.title);
+      if (options.url) args.push(cmd.url + options.url);
       break;
     case 'Custom':
       args[0] = (function(origCommand) {
         var message = options.title
           ? options.title + ': ' + msg
           : msg;
-        var command = origCommand.replace(/(^|[^%])%s/g, '$1' + quote(message));
-        if (command === origCommand) args.push(quote(message));
+        var command = origCommand.replace(/(^|[^%])%s/g, '$1' + message);
+        if (command === origCommand) args.push(message);
         return command;
       })(args[0]);
       break;
   }
 
   // execute
-  exec(args.join(' '), fn);
+  exec(shellescape(args), fn);
 };

package.json

@@ -1,6 +1,6 @@
 {
   "name": "growl",
-  "version": "1.9.2",
+  "version": "1.9.3",
   "description": "Growl unobtrusive notifications",
   "author": "TJ Holowaychuk <tj@vision-media.ca>",
   "maintainers": [
@@ -10,6 +10,9 @@
     "type": "git",
     "url": "git://github.com/tj/node-growl.git"
   },
+  "dependencies": {
+    "shell-escape": ">=0.2.0"
+  },
   "main": "./lib/growl.js",
   "license": "MIT"
 }