Skip to content

Commit 47d92e9

Browse files
sambostocksambostock
committed
Escape shell args
Passing strings to diff as unescaped shell arguments to printf can result in unexpected (and potentially exploitable) behaviour if the strings contain special characters, such as backticks (`).
1 parent 39a2290 commit 47d92e9

File tree

2 files changed

+12
-2
lines changed

2 files changed

+12
-2
lines changed

js/gitDiffReal/bugFixes.spec.js

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,5 +21,11 @@ describe('gitDiffReal', function() {
2121
var actual = gitDiffReal('<a>', '<b>', {color: false, wordDiff: true})
2222
imp.expect(actual).to.equal(expected)
2323
})
24+
25+
it('` in string is not interpreted as shell subcommand', function() {
26+
var expected = '@@ -1 +1 @@\n[-`a`b-]{+`c`d+}\n'
27+
var actual = gitDiffReal('`a`b', '`c`d', {color: false, wordDiff: true})
28+
imp.expect(actual).to.equal(expected)
29+
})
2430
})
2531
})

js/gitDiffReal/generateDiff/index.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ logger.setLevel('info')
1212
// git diff $(printf 'my first string' | git hash-object -w --stdin) $(printf 'my second string' | git hash-object -w --stdin) --word-diff
1313
// git diff $(printf 'This is a test for my diff tool\nIt is a big test\n\nNo diff here\n\nBut there might be here\nBut not here\n\nOr here\n' | git hash-object -w --stdin) $(printf 'This is a test for my difference tool\nIt is a small test\n\nNo diff here\n\nBut there might be here!\nBut not here\n\nOr here\n' | git hash-object -w --stdin) --word-diff
1414

15+
function escapeShellArg(arg) {
16+
return "'" + arg.replace(/'/g, "'\\''") + "'"
17+
}
18+
1519
function generateDiff(str1, str2, options, gitDir) {
1620

1721
var DEFAULTS = require('../../_shared/defaultOptions')
@@ -23,8 +27,8 @@ function generateDiff(str1, str2, options, gitDir) {
2327
}
2428

2529
// Single quotes is needed here to avoid .. event not found
26-
var gitHashCmd1 = 'printf ' + JSON.stringify(str1) + ' | git ' + gitDir + ' hash-object -w --stdin'
27-
var gitHashCmd2 = 'printf ' + JSON.stringify(str2) + ' | git ' + gitDir + ' hash-object -w --stdin'
30+
var gitHashCmd1 = 'printf ' + escapeShellArg(str1) + ' | git ' + gitDir + ' hash-object -w --stdin'
31+
var gitHashCmd2 = 'printf ' + escapeShellArg(str2) + ' | git ' + gitDir + ' hash-object -w --stdin'
2832

2933
var gitHashObj1 = exec(gitHashCmd1, {silent: true})
3034
var gitHashObj2 = exec(gitHashCmd2, {silent: true})

0 commit comments

Comments
 (0)