fix(create-docusaurus): potential security issue with command injection (#7507)

2025-05-21 04:57:05 +02:00 · 2022-05-27 10:41:15 +02:00 · 2022-05-27 10:41:15 +02:00 · dbd161d67c
commit dbd161d67c
parent cd7cf781cd
7 changed files with 59 additions and 22 deletions
--- a/packages/docusaurus-utils/src/tests/shellUtils.test.ts
+++ b/packages/docusaurus-utils/src/tests/shellUtils.test.ts
@ -0,0 +1,19 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+import {escapeShellArg} from '../shellUtils';
+
+describe('shellUtils', () => {
+  it('escapeShellArg', () => {
+    expect(escapeShellArg('hello')).toBe("'hello'");
+    expect(escapeShellArg('*')).toBe("'*'");
+    expect(escapeShellArg('hello world')).toBe("'hello world'");
+    expect(escapeShellArg("'hello'")).toBe("\\''hello'\\'");
+    expect(escapeShellArg('$(pwd)')).toBe("'$(pwd)'");
+    expect(escapeShellArg('hello$(pwd)')).toBe("'hello$(pwd)'");
+  });
+});
--- a/packages/docusaurus-utils/src/gitUtils.ts
+++ b/packages/docusaurus-utils/src/gitUtils.ts
@ -97,26 +97,19 @@ export function getFileCommitDate(
    );
  }

-  let formatArg = '--format=%ct';
-  if (includeAuthor) {
-    formatArg += ',%an';
-  }
+  const args = [
+    `--format=%ct${includeAuthor ? ',%an' : ''}`,
+    '--max-count=1',
+    age === 'oldest' ? '--follow --diff-filter=A' : undefined,
+  ]
+    .filter(Boolean)
+    .join(' ');

-  let extraArgs = '--max-count=1';
-  if (age === 'oldest') {
-    // --follow is necessary to follow file renames
-    // --diff-filter=A ensures we only get the commit which (A)dded the file
-    extraArgs += ' --follow --diff-filter=A';
-  }
-
-  const result = shell.exec(
-    `git log ${extraArgs} ${formatArg} -- "${path.basename(file)}"`,
-    {
-      // Setting cwd is important, see: https://github.com/facebook/docusaurus/pull/5048
-      cwd: path.dirname(file),
-      silent: true,
-    },
-  );
+  const result = shell.exec(`git log ${args} -- "${path.basename(file)}"`, {
+    // Setting cwd is important, see: https://github.com/facebook/docusaurus/pull/5048
+    cwd: path.dirname(file),
+    silent: true,
+  });
  if (result.code !== 0) {
    throw new Error(
      `Failed to retrieve the git history for file "${file}" with exit code ${result.code}: ${result.stderr}`,
--- a/packages/docusaurus-utils/src/index.ts
+++ b/packages/docusaurus-utils/src/index.ts
@ -96,6 +96,7 @@ export {
  createAbsoluteFilePathMatcher,
 } from './globUtils';
 export {getFileLoaderUtils} from './webpackUtils';
+export {escapeShellArg} from './shellUtils';
 export {
  getDataFilePath,
  getDataFileData,
--- a/packages/docusaurus-utils/src/shellUtils.ts
+++ b/packages/docusaurus-utils/src/shellUtils.ts
@ -0,0 +1,18 @@
+/**
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+// TODO move from shelljs to execa later?
+// Execa is well maintained and widely used
+// Even shelljs recommends execa for security / escaping:
+// https://github.com/shelljs/shelljs/wiki/Security-guidelines
+
+// Inspired by https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js
+export function escapeShellArg(s: string): string {
+  let res = `'${s.replace(/'/g, "'\\''")}'`;
+  res = res.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'");
+  return res;
+}