frodovdr
/
node-red
mirror of https://github.com/node-red/node-red.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Use child_process.execFile to prevent command injection

This commit is contained in:
Nick O'Leary 2015-11-08 14:26:11 +00:00
parent 985875cc75
commit 075a2abf71
2 changed files with 7 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
red/nodes/index.js
View File

@ -135,7 +135,7 @@ function installModule(module) {
log.info(log._("server.install.installing",{name: module}));
var installDir = settings.userDir || process.env.NODE_RED_HOME || ".";
var child = child_process.exec('npm install --production '+module,
var child = child_process.execFile('npm',['install','--production',module],
{
cwd: installDir
},
@ -206,7 +206,7 @@ function uninstallModule(module) {
var list = removeModule(module);
log.info(log._("server.install.uninstalling",{name:module}));
var child = child_process.exec('npm remove '+module,
var child = child_process.execFile('npm',['remove',module],
{
cwd: installDir
},

39
test/red/nodes/index_spec.js
View File

@ -291,7 +291,7 @@ describe("red/nodes/index", function() {
});
it("rejects when npm returns a 404", function(done) {
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
cb(new Error(),""," 404 this_wont_exist");
});
@ -303,7 +303,7 @@ describe("red/nodes/index", function() {
});
});
it("rejects with generic error", function(done) {
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
cb(new Error("test_error"),"","");
});
@ -317,7 +317,7 @@ describe("red/nodes/index", function() {
});
it("succeeds when module is found", function(done) {
var nodeInfo = {nodes:{module:"foo",types:["a"]}};
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
cb(null,"","");
});
var addModule = sinon.stub(registry,"addModule",function(md) {
@ -337,20 +337,6 @@ describe("red/nodes/index", function() {
addModule.restore();
});
});
it.skip("reports added modules", function() {
var nodes = {nodes:[
{types:["a"]},
{module:"foo",types:["b"]},
{types:["c"],err:"error"}
]};
var result = index.reportAddedModules(nodes);
result.should.equal(nodes);
commsMessages.should.have.length(1);
commsMessages[0].topic.should.equal("node/added");
commsMessages[0].msg.should.eql(nodes.nodes);
});
});
describe("uninstalls module", function() {
it("rejects invalid module names", function(done) {
@ -369,7 +355,7 @@ describe("red/nodes/index", function() {
var removeModule = sinon.stub(registry,"removeModule",function(md) {
return when.resolve(nodeInfo);
});
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
cb(new Error("test_error"),"","");
});
@ -390,7 +376,7 @@ describe("red/nodes/index", function() {
var getModuleInfo = sinon.stub(registry,"getModuleInfo",function(md) {
return {nodes:[]};
});
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
cb(null,"","");
});
@ -411,21 +397,6 @@ describe("red/nodes/index", function() {
getModuleInfo.restore();
});
});
it.skip("reports removed modules", function() {
var nodes = [
{types:["a"]},
{module:"foo",types:["b"]},
{types:["c"],err:"error"}
];
var result = server.reportRemovedModules(nodes);
result.should.equal(nodes);
commsMessages.should.have.length(1);
commsMessages[0].topic.should.equal("node/removed");
commsMessages[0].msg.should.eql(nodes);
});
});
});