search

crookedneighbor / npm-unpack

A module to pack and unpack your modules.
2 stars 1 forks source link

tarFile argument is not shell escaped. #22

Closed mikesamuel closed 6 years ago

mikesamuel commented 6 years ago

https://github.com/crookedneighbor/npm-unpack/blob/90fa07890c285db94e6969134d66157c599d5b01/lib/tar.js#L5 calls child_process.exec in shell mode, so a tarfile path that includes shell meta characters will break.

Specifically, a tarfile path like "/dev/null; ls -l /etc/passwd" will execute ls -l /etc/passwd and collect its output into stdout.

crookedneighbor commented 6 years ago

Would you like to open a PR?

mikesamuel commented 6 years ago

PR #23

crookedneighbor commented 6 years ago

Released with v0.1.1

Thanks!