git-diff icon indicating copy to clipboard operation
git-diff copied to clipboard
verified publisher icon danday74

Escape shell arguments

Open sambostock opened this issue 5 years ago • 1 comments

Passing strings to diff as unescaped shell arguments to printf can result in unexpected (and potentially exploitable) behaviour if the strings contain special characters, such as backticks (`).

This adds a basic test which replicates the bug, and replaces the use of JSON.stringify with a basic escapeShellArg function, adapted from StackOverflow.

It would probably be good to get review from someone with more security knowledge.

sambostock avatar Feb 20 '20 07:02 sambostock

Coverage Status

Coverage remained the same at 100.0% when pulling 47d92e96fe02dd23ff503fc7d7ce56accd3316f7 on sambostock:fix-rce into 39a229007b748fb1f08e3f0e29ea515ea0844ce2 on danday74:master.

coveralls avatar Feb 20 '20 07:02 coveralls