fix: further harden add (#41)

* fix: don't allow setting shell to true * fix: harden add * test: fix
ExodusMovement · Mar 13, 2024 · 5bc3d09 · 5bc3d09
1 parent adf651a
commit 5bc3d09
Show file tree

Hide file tree

Showing 9 changed files with 38 additions and 13 deletions.
diff --git a/dist/publish/index.js b/dist/publish/index.js
diff --git a/dist/publish/index.js.map b/dist/publish/index.js.map
diff --git a/dist/version/index.js b/dist/version/index.js
diff --git a/dist/version/index.js.map b/dist/version/index.js.map
diff --git a/src/utils/git.spec.ts b/src/utils/git.spec.ts
@@ -1,10 +1,20 @@
 import { add, commit, resetLastCommit } from './git'
 
 describe('add', () => {
+  it('should allow valid paths', () => {
+    expect(() => add(['./some-path', 'package.json'])).not.toThrow('Options are not allowed')
+    expect(() => add(['/some-absolute-path'])).not.toThrow('Options are not allowed')
+  })
+
   it('should throw when trying to use flags', () => {
     expect(() => add(['--force', '.yarnrc.yml'])).toThrow('Options are not allowed')
     expect(() => add(['--force', '.yarnrc.yml'])).toThrow('Options are not allowed')
   })
+
+  it('should throw trying to hide flags', () => {
+    expect(() => add(['``--force', '.yarnrc.yml'])).toThrow('Options are not allowed')
+    expect(() => add(['${}--force', '.yarnrc.yml'])).toThrow('Options are not allowed')
+  })
 })
 
 describe('commit', () => {

diff --git a/src/utils/git.ts b/src/utils/git.ts
@@ -2,9 +2,11 @@ import { spawnSync } from './process'
 import { flagsAsArguments } from './objects'
 import * as assert from 'node:assert'
 
+const PATH_CHARACTERS = /^[\w./-]+$/
+
 export function add(pathSpecs: string[]) {
   assert(
-    pathSpecs.every((it) => !it.startsWith('-')),
+    pathSpecs.every((it) => !it.startsWith('-') && PATH_CHARACTERS.test(it)),
     'Options are not allowed. Please supply paths to the files you want to add only.'
   )
 

diff --git a/src/utils/process.ts b/src/utils/process.ts
@@ -3,9 +3,13 @@ import { spawnSync as nodeSpawnSync, SpawnSyncOptionsWithStringEncoding } from '
 export const spawnSync = (
   command: string,
   args: string[],
-  options: Partial<SpawnSyncOptionsWithStringEncoding> = {}
+  options: Omit<Partial<SpawnSyncOptionsWithStringEncoding>, 'shell'> = {}
 ) => {
-  const { stdout, stderr, status } = nodeSpawnSync(command, args, { encoding: 'utf8', ...options })
+  const { stdout, stderr, status } = nodeSpawnSync(command, args, {
+    encoding: 'utf8',
+    ...options,
+    shell: false,
+  })
 
   if (status !== 0) {
     throw new Error(stderr)

diff --git a/src/version/get-tags.spec.ts b/src/version/get-tags.spec.ts
@@ -81,8 +81,8 @@ function setup(tags: string[]) {
   const commit = '26d0f601ef58b14de321cad15b059fe2962b37f5'
 
   when(spawnSync)
-    .calledWith('git', ['rev-parse', 'HEAD'], { encoding: 'utf8' })
+    .calledWith('git', ['rev-parse', 'HEAD'], { encoding: 'utf8', shell: false })
     .mockReturnValue({ stdout: commit, stderr: '', status: 0 } as never)
-    .calledWith('git', ['tag', '--contains', commit], { encoding: 'utf8' })
+    .calledWith('git', ['tag', '--contains', commit], { encoding: 'utf8', shell: false })
     .mockReturnValue({ stdout: tags.join('\n'), stderr: '', status: 0 } as never)
 }
diff --git a/src/version/version-packages.spec.ts b/src/version/version-packages.spec.ts
@@ -21,7 +21,7 @@ describe('versionPackages', () => {
         '--no-private',
         '--force-publish',
       ],
-      { encoding: 'utf8' }
+      { encoding: 'utf8', shell: false }
     )
   })
 
@@ -47,7 +47,7 @@ describe('versionPackages', () => {
         '--no-private',
         '--force-publish',
       ],
-      { encoding: 'utf8' }
+      { encoding: 'utf8', shell: false }
     )
   })
 
@@ -69,7 +69,7 @@ describe('versionPackages', () => {
         '--force-publish',
         '--let-bruce-wayne-decide',
       ],
-      { encoding: 'utf8' }
+      { encoding: 'utf8', shell: false }
     )
   })
 })