Skip to content

Fix nodejs breaking change CVE-2024-27980 #973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
May 3, 2024
Merged

Fix nodejs breaking change CVE-2024-27980 #973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
7606993
Fix nodejs breaking change CVE-2024-27980
benibenj May 2, 2024
af842a2
validate commit messages for version bump
benibenj May 2, 2024
3e93e3f
Properly sanitize message
benibenj May 2, 2024
434754f
Remove unused shell-quote
benibenj May 2, 2024
97f8b80
:lipstick:
benibenj May 2, 2024
1188664
Commit message enclose in quotes
benibenj May 2, 2024
9e06c04
:lipstick:
benibenj May 2, 2024
b1bde5a
Only sanitize on windows
benibenj May 2, 2024
f6eb247
:lipstick:
benibenj May 2, 2024
dd558a9
Remove double checking
benibenj May 2, 2024
c1ced1d
:lipstick:
benibenj May 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions src/package.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -395,25 +395,46 @@ export async function versionBump(options: IVersionBumpOptions): Promise<void> {
}
}


// call `npm version` to do our dirty work
const args = ['version', options.version];

if (options.commitMessage) {
args.push('-m', options.commitMessage);
const isWindows = process.platform === 'win32';

const commitMessage = isWindows ? sanitizeCommitMessage(options.commitMessage) : options.commitMessage;
if (commitMessage) {
args.push('-m', commitMessage);
}

if (!(options.gitTagVersion ?? true)) {
args.push('--no-git-tag-version');
}

const { stdout, stderr } = await promisify(cp.execFile)(process.platform === 'win32' ? 'npm.cmd' : 'npm', args, { cwd });

const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ });
if (!process.env['VSCE_TESTS']) {
process.stdout.write(stdout);
process.stderr.write(stderr);
}
}

function sanitizeCommitMessage(message?: string): string | undefined {
if (!message) {
return undefined;
}

// Remove any unsafe characters found by the unsafeRegex
// Check for characters that might escape quotes or introduce shell commands.
// Don't allow: ', ", `, $, \ (except for \n which is allowed)
const sanitizedMessage = message.replace(/(?<!\\)\\(?!n)|['"`$]/g, '');

if (sanitizedMessage.length === 0) {
return undefined;
}

// Add quotes as commit message is passed as a single argument to the shell
return `"${sanitizedMessage}"`;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sure that explicit quotes are really necessary when using shell: true, since I didn't find any reference to that in the docs.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With shell: false the arguments are passed directly to the executable as an array compared to shell; true for which they are pasted into the shell. To make sure that strings with spaces in them are considered as a single argument, quotes have to be added.

}

export const Targets = new Set([
'win32-x64',
'win32-arm64',
Expand Down
2 changes: 1 addition & 1 deletion src/test/package.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2940,7 +2940,7 @@ describe('version', function () {
const fixtureFolder = fixture('vsixmanifest');
let cwd: string;

const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8' });
const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8', shell: true });

beforeEach(() => {
dir = tmp.dirSync({ unsafeCleanup: true });
Expand Down