Fix remote execution vulnerability by switching from execSync to execFileSync #55
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Js-Brecht
reviewed
Jun 10, 2020
Comment on lines
+69
to
+71
| if (!VALID_DOMAIN.test(domain)) { | ||
| throw new Error(`"${domain}" is not a valid domain name.`); | ||
| } |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
run()to useexecFileSyncrun()certificateForwith a (fairly permissive) regular expression limiting them to legal domain name charsFixes
Currently the
run()command inutils.jsdoes not sanitize its input, and other modules invokerun()with string-concatenated arguments including user input.A downstream dependency that uses
devcertwith public input might unwittingly permit remote execution on their servers by passing shell commands.This PR changes all "shell commands" to use Node child_process.execFileSync, which can only invoke specific executables with an array of arguments, rather than passing a full string to a shell to be evaluated.