mirror of
https://github.com/node-red/node-red.git
synced 2023-10-10 13:36:53 +02:00
Use child_process.execFile to prevent command injection
This commit is contained in:
parent
985875cc75
commit
075a2abf71
@ -135,7 +135,7 @@ function installModule(module) {
|
||||
log.info(log._("server.install.installing",{name: module}));
|
||||
|
||||
var installDir = settings.userDir || process.env.NODE_RED_HOME || ".";
|
||||
var child = child_process.exec('npm install --production '+module,
|
||||
var child = child_process.execFile('npm',['install','--production',module],
|
||||
{
|
||||
cwd: installDir
|
||||
},
|
||||
@ -206,7 +206,7 @@ function uninstallModule(module) {
|
||||
|
||||
var list = removeModule(module);
|
||||
log.info(log._("server.install.uninstalling",{name:module}));
|
||||
var child = child_process.exec('npm remove '+module,
|
||||
var child = child_process.execFile('npm',['remove',module],
|
||||
{
|
||||
cwd: installDir
|
||||
},
|
||||
|
@ -291,7 +291,7 @@ describe("red/nodes/index", function() {
|
||||
});
|
||||
|
||||
it("rejects when npm returns a 404", function(done) {
|
||||
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
|
||||
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
|
||||
cb(new Error(),""," 404 this_wont_exist");
|
||||
});
|
||||
|
||||
@ -303,7 +303,7 @@ describe("red/nodes/index", function() {
|
||||
});
|
||||
});
|
||||
it("rejects with generic error", function(done) {
|
||||
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
|
||||
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
|
||||
cb(new Error("test_error"),"","");
|
||||
});
|
||||
|
||||
@ -317,7 +317,7 @@ describe("red/nodes/index", function() {
|
||||
});
|
||||
it("succeeds when module is found", function(done) {
|
||||
var nodeInfo = {nodes:{module:"foo",types:["a"]}};
|
||||
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
|
||||
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
|
||||
cb(null,"","");
|
||||
});
|
||||
var addModule = sinon.stub(registry,"addModule",function(md) {
|
||||
@ -337,20 +337,6 @@ describe("red/nodes/index", function() {
|
||||
addModule.restore();
|
||||
});
|
||||
});
|
||||
it.skip("reports added modules", function() {
|
||||
var nodes = {nodes:[
|
||||
{types:["a"]},
|
||||
{module:"foo",types:["b"]},
|
||||
{types:["c"],err:"error"}
|
||||
]};
|
||||
var result = index.reportAddedModules(nodes);
|
||||
|
||||
result.should.equal(nodes);
|
||||
commsMessages.should.have.length(1);
|
||||
commsMessages[0].topic.should.equal("node/added");
|
||||
commsMessages[0].msg.should.eql(nodes.nodes);
|
||||
});
|
||||
|
||||
});
|
||||
describe("uninstalls module", function() {
|
||||
it("rejects invalid module names", function(done) {
|
||||
@ -369,7 +355,7 @@ describe("red/nodes/index", function() {
|
||||
var removeModule = sinon.stub(registry,"removeModule",function(md) {
|
||||
return when.resolve(nodeInfo);
|
||||
});
|
||||
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
|
||||
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
|
||||
cb(new Error("test_error"),"","");
|
||||
});
|
||||
|
||||
@ -390,7 +376,7 @@ describe("red/nodes/index", function() {
|
||||
var getModuleInfo = sinon.stub(registry,"getModuleInfo",function(md) {
|
||||
return {nodes:[]};
|
||||
});
|
||||
var exec = sinon.stub(child_process,"exec",function(cmd,opt,cb) {
|
||||
var exec = sinon.stub(child_process,"execFile",function(cmd,args,opt,cb) {
|
||||
cb(null,"","");
|
||||
});
|
||||
|
||||
@ -411,21 +397,6 @@ describe("red/nodes/index", function() {
|
||||
getModuleInfo.restore();
|
||||
});
|
||||
});
|
||||
|
||||
it.skip("reports removed modules", function() {
|
||||
var nodes = [
|
||||
{types:["a"]},
|
||||
{module:"foo",types:["b"]},
|
||||
{types:["c"],err:"error"}
|
||||
];
|
||||
var result = server.reportRemovedModules(nodes);
|
||||
|
||||
result.should.equal(nodes);
|
||||
commsMessages.should.have.length(1);
|
||||
commsMessages[0].topic.should.equal("node/removed");
|
||||
commsMessages[0].msg.should.eql(nodes);
|
||||
});
|
||||
|
||||
});
|
||||
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user