3pp-mirror/docusaurus
1
0
Fork 0
mirror of https://github.com/facebook/docusaurus.git synced 2025-06-09 06:12:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix(create-docusaurus): potential security issue with command injection (#7507)

Browse source
This commit is contained in:
Sébastien Lorber 2022-05-27 10:41:15 +02:00 committed by GitHub
parent cd7cf781cd
commit dbd161d67c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 59 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

18
packages/docusaurus-utils/src/shellUtils.ts Normal file
View file

@ -0,0 +1,18 @@
/**
* Copyright (c) Facebook, Inc. and its affiliates.
*
* This source code is licensed under the MIT license found in the
* LICENSE file in the root directory of this source tree.
*/
// TODO move from shelljs to execa later?
// Execa is well maintained and widely used
// Even shelljs recommends execa for security / escaping:
// https://github.com/shelljs/shelljs/wiki/Security-guidelines
// Inspired by https://github.com/xxorax/node-shell-escape/blob/master/shell-escape.js
export function escapeShellArg(s: string): string {
let res = `'${s.replace(/'/g, "'\\''")}'`;
res = res.replace(/^(?:'')+/g, '').replace(/\\'''/g, "\\'");
return res;
}