3pp-mirror/docusaurus
1
0
Fork 0
mirror of https://github.com/facebook/docusaurus.git synced 2025-05-24 06:27:02 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(create-docusaurus): potential security issue with command injection (#7507)

Browse source
This commit is contained in:
Sébastien Lorber 2022-05-27 10:41:15 +02:00 committed by GitHub
parent cd7cf781cd
commit dbd161d67c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 59 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

9
packages/create-docusaurus/src/index.ts
View file

@ -13,6 +13,7 @@ import logger from '@docusaurus/logger';
import shell from 'shelljs';
import prompts, {type Choice} from 'prompts';
import supportsColor from 'supports-color';
import {escapeShellArg} from '@docusaurus/utils';
type CLIOptions = {
packageManager?: PackageManager;
@ -463,9 +464,11 @@ export default async function init(
logger.info('Creating new Docusaurus project...');
if (source.type === 'git') {
logger.info`Cloning Git template url=${source.url}...`;
const command = await getGitCommand(source.strategy);
if (shell.exec(`${command} ${source.url} ${dest}`).code !== 0) {
const gitCommand = await getGitCommand(source.strategy);
const gitCloneCommand = `${gitCommand} ${escapeShellArg(
source.url,
)} ${escapeShellArg(dest)}`;
if (shell.exec(gitCloneCommand).code !== 0) {
logger.error`Cloning Git template failed!`;
process.exit(1);
}