From 04c9f0ebf72e38ec0bbed3f2fc1939777f04936d Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Fri, 8 May 2020 20:25:24 +0530 Subject: [PATCH 1/3] Fixed Command Injection --- index.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/index.js b/index.js index b0397e6..10e3650 100644 --- a/index.js +++ b/index.js @@ -1,7 +1,7 @@ 'use strict'; var chalk = require('chalk'); -var exec = require('child_process').exec; +var execFile = require('child_process').execFile; var fsx = require('fs-extra'); var globby = require('globby'); var path = require('path'); @@ -122,13 +122,15 @@ function buildRpm(buildRoot, specFile, rpmDest, execOpts, cb) { '--buildroot', buildRoot, specFile - ].join(' '); + ]; + var cmdFile = cmd[0]; + cmd.shift(); logger(chalk.cyan('Executing:'), cmd); execOpts = execOpts || {}; - exec(cmd, execOpts, function rpmbuild(err, stdout) { + execFile(cmdFile, [cmd], execOpts, function rpmbuild(err, stdout) { if (err) { return cb(err); From c2cd8de5339cee6cb514208175f2eda043f61f9b Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Fri, 8 May 2020 20:52:49 +0530 Subject: [PATCH 2/3] full cmd needs to be given to the logger() --- index.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/index.js b/index.js index 10e3650..6106af8 100644 --- a/index.js +++ b/index.js @@ -123,10 +123,12 @@ function buildRpm(buildRoot, specFile, rpmDest, execOpts, cb) { buildRoot, specFile ]; + var cmdFile = cmd[0]; - cmd.shift(); - + logger(chalk.cyan('Executing:'), cmd); + + cmd.shift(); execOpts = execOpts || {}; From 6528f23c4aa594e9afe578826c3af53d952aa8fb Mon Sep 17 00:00:00 2001 From: Mufeed VH Date: Fri, 8 May 2020 21:46:29 +0530 Subject: [PATCH 3/3] minor fix --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 6106af8..0f5f4eb 100644 --- a/index.js +++ b/index.js @@ -132,7 +132,7 @@ function buildRpm(buildRoot, specFile, rpmDest, execOpts, cb) { execOpts = execOpts || {}; - execFile(cmdFile, [cmd], execOpts, function rpmbuild(err, stdout) { + execFile(cmdFile, cmd, execOpts, function rpmbuild(err, stdout) { if (err) { return cb(err);