fix(packages): shell command built from environment values (#12386)
b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L6-L6)b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L10-L10)b7473371b3/packages/twenty-server/src/engine/core-modules/serverless/commands/add-packages.command.ts (L79-L79)Fix the issue should avoid dynamically constructing the shell command. Instead, we can use `execFile` or `execFileSync`, which allows us to pass arguments as an array, avoiding shell interpretation of special characters. This ensures that the `folderPath` is treated as a literal argument and not subject to command injection. Specifically: 1. Replace the use of `execPromise` with `execFilePromise` (a promisified version of `execFile`). 2. Modify the `addToGit` method to pass the `folderPath` as an argument to `git add` instead of interpolating it into the command string. ---
This commit is contained in:
Zeroday BYTE
@ -1,13 +1,13 @@
|
|||||||
import { Logger } from '@nestjs/common';
|
import { Logger } from '@nestjs/common';
|
||||||
|
|
||||||
|
import { execFile } from 'child_process';
|
||||||
import * as fs from 'fs/promises';
|
import * as fs from 'fs/promises';
|
||||||
import { resolve } from 'path';
|
import { resolve } from 'path';
|
||||||
import { promisify } from 'util';
|
import { promisify } from 'util';
|
||||||
import { exec } from 'child_process';
|
|
||||||
|
|
||||||
import { Command, CommandRunner, Option } from 'nest-commander';
|
import { Command, CommandRunner, Option } from 'nest-commander';
|
||||||
|
|
||||||
const execPromise = promisify(exec);
|
const execFilePromise = promisify(execFile);
|
||||||
|
|
||||||
@Command({
|
@Command({
|
||||||
name: 'serverless:add-packages',
|
name: 'serverless:add-packages',
|
||||||
@ -40,7 +40,6 @@ export class AddPackagesCommand extends CommandRunner {
|
|||||||
);
|
);
|
||||||
|
|
||||||
const currentVersion = await this.getLastLayerVersion();
|
const currentVersion = await this.getLastLayerVersion();
|
||||||
|
|
||||||
const newVersion = currentVersion + 1;
|
const newVersion = currentVersion + 1;
|
||||||
|
|
||||||
const currentVersionFolder = `${layersFolder}/${currentVersion}`;
|
const currentVersionFolder = `${layersFolder}/${currentVersion}`;
|
||||||
@ -71,12 +70,11 @@ export class AddPackagesCommand extends CommandRunner {
|
|||||||
|
|
||||||
private getAbsoluteFilePath(path: string) {
|
private getAbsoluteFilePath(path: string) {
|
||||||
const rootPath = process.cwd();
|
const rootPath = process.cwd();
|
||||||
|
|
||||||
return resolve(rootPath, path);
|
return resolve(rootPath, path);
|
||||||
}
|
}
|
||||||
|
|
||||||
private async addToGit(folderPath: string) {
|
private async addToGit(folderPath: string) {
|
||||||
await execPromise(`git add ${folderPath}`);
|
await execFilePromise('git', ['add', folderPath]);
|
||||||
}
|
}
|
||||||
|
|
||||||
private async cleanPackageInstallation(folderPath: string) {
|
private async cleanPackageInstallation(folderPath: string) {
|
||||||
@ -95,7 +93,7 @@ export class AddPackagesCommand extends CommandRunner {
|
|||||||
for (const packageName of packages) {
|
for (const packageName of packages) {
|
||||||
this.logger.log(`- adding '${packageName}'...`);
|
this.logger.log(`- adding '${packageName}'...`);
|
||||||
try {
|
try {
|
||||||
await execPromise(`yarn add ${packageName}`, {
|
await execFilePromise('yarn', ['add', packageName], {
|
||||||
cwd: folderPath,
|
cwd: folderPath,
|
||||||
});
|
});
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
|
|||||||
Reference in New Issue
Block a user