danog/gift
1
0
Fork 0
mirror of https://github.com/danog/gift.git synced 2024-11-26 20:04:47 +01:00
Code Issues Projects Releases Wiki Activity

Fixed shell expansion/word splitting and injection vulns

Browse Source 
The `exec` call in `git.coffee` will be replaced soon but this fixes the issues for now.

Closes #23.
This commit is contained in:
Luke Plaster 2018-01-22 23:48:43 +08:00
parent 3f18c3d709
commit bff9d42b60
4 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
package.json
View File

@ -26,6 +26,7 @@
"url": "https://github.com/notatestuser/gift.git" "url": "https://github.com/notatestuser/gift.git"
}, },
"dependencies": { "dependencies": {
"flex-exec": "^1.0.0",
"underscore": "^1.8.3" "underscore": "^1.8.3"
}, },
"devDependencies": { "devDependencies": {

22
src/index.coffee
View File

@ -1,5 +1,5 @@
{exec} = require 'child_process' exec = require 'flex-exec'
Repo = require './repo' Repo = require './repo'
# Public: Create a Repo from the given path. # Public: Create a Repo from the given path.
# #
@ -20,13 +20,13 @@ Git.maxBuffer = 5000 * 1024
Git.init = (path, bare, callback) -> Git.init = (path, bare, callback) ->
[bare, callback] = [callback, bare] if !callback [bare, callback] = [callback, bare] if !callback
if bare if bare
bash = "git init --bare ." bash = ["git", "init", "--bare", "."]
else else
bash = "git init ." bash = ["git", "init", "."]
exec bash, {cwd: path} exec bash, {cwd: path}
, (err, stdout, stderr) -> , (err, stdout, stderr) ->
return callback err if err return callback err if err instanceof Error
return callback err, (new Repo path, bare, { maxBuffer: Git.maxBuffer }) return callback null, (new Repo path, bare, { maxBuffer: Git.maxBuffer })
# Public: Clone a git repository. # Public: Clone a git repository.
# #
@ -42,13 +42,13 @@ Git.clone = (repository, path, depth = 0, branch = null, callback) ->
if typeof depth is 'function' if typeof depth is 'function'
callback = depth callback = depth
depth = 0 depth = 0
bash = "git clone \"#{repository}\" \"#{path}\"" bash = ["git", "clone", repository, path]
if branch isnt null and typeof branch is 'string' if branch isnt null and typeof branch is 'string'
bash += " --branch \"#{branch}\"" bash.push("--branch", branch)
if depth isnt 0 and typeof depth is 'number' if depth isnt 0 and typeof depth is 'number'
bash += " --depth \"#{depth}\"" bash.push("--depth", depth)
exec bash, (err, stdout, stderr) -> exec bash, (err, stdout, stderr) ->
return callback err if err return callback err if err instanceof Error
return callback err, (new Repo path, false, { maxBuffer: Git.maxBuffer }) return callback null, (new Repo path, false, { maxBuffer: Git.maxBuffer })

2
test/index.test.coffee
View File

@ -2,7 +2,7 @@ should = require 'should'
git = require '../src' git = require '../src'
Repo = require '../src/repo' Repo = require '../src/repo'
fs = require "fs" fs = require "fs"
{exec} = require 'child_process' exec = require 'flex-exec'
describe "git", -> describe "git", ->
describe "()", -> describe "()", ->

2
test/repo.test.coffee
View File

@ -12,7 +12,7 @@ Tag = require '../src/tag'
Status = require '../src/status' Status = require '../src/status'
{Ref, Head} = require '../src/ref' {Ref, Head} = require '../src/ref'
{exec} = require 'child_process' exec = require 'flex-exec'
describe "Repo", -> describe "Repo", ->