-
-
Notifications
You must be signed in to change notification settings - Fork 8.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(create-docusaurus): potential security issue with command injection #7507
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
/** | ||
* Copyright (c) Facebook, Inc. and its affiliates. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
*/ | ||
|
||
import {escapeShellArg} from '../shellUtils'; | ||
|
||
describe('shellUtils', () => { | ||
it('escapeShellArg', () => { | ||
expect(escapeShellArg('hello')).toBe("'hello'"); | ||
expect(escapeShellArg('*')).toBe("'*'"); | ||
expect(escapeShellArg('hello world')).toBe("'hello world'"); | ||
expect(escapeShellArg("'hello'")).toBe("\\''hello'\\'"); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Need more tests with unpaired quotes and attempts of injection There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will be deleted after moving to Execa. I think those temporary tests are good enough for the small amount of escaping we'll do manually. Now if you want to add tests or provide a better implementation, go ahead |
||
expect(escapeShellArg('$(pwd)')).toBe("'$(pwd)'"); | ||
expect(escapeShellArg('hello$(pwd)')).toBe("'hello$(pwd)'"); | ||
}); | ||
}); |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
/** | ||
* Copyright (c) Facebook, Inc. and its affiliates. | ||
* | ||
* This source code is licensed under the MIT license found in the | ||
* LICENSE file in the root directory of this source tree. | ||
*/ | ||
|
||
// TODO move from shelljs to execa later? | ||
// Execa is well maintained and widely used | ||
// Even shelljs recommends execa for security / escaping: | ||
// https://github.com/shelljs/shelljs/wiki/Security-guidelines | ||
|
||
// Inspired by https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js | ||
export function escapeShellArg(s: string): string { | ||
let res = `'${s.replace(/'/g, "'\\''")}'`; | ||
res = res.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'"); | ||
return res; | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -87,6 +87,8 @@ esbuild | |
eslintcache | ||
estree | ||
evaluable | ||
execa | ||
Execa | ||
externalwaiting | ||
failfast | ||
fbid | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know it's already very bloated, but I'd like to point out that a bare install of
create-docusaurus
is 8.1M, which is a bit too much for a scaffolding utility. I'd like to lower its size gradually, like avoiding lodash and@docusaurus/utils
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree, but it will be removed after migrating to Execa so I'd rather increase this temporarily rather than creating a temporary smaller package
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I agree!