Add an extra sanitizing step: test arguments passed to certificateFor with a (fairly permissive) regular expression limiting them to legal domain name chars
Fixes
Currently the run() command in utils.js does not sanitize its input, and other modules invoke run() with string-concatenated arguments including user input.
A downstream dependency that uses devcert with public input might unwittingly permit remote execution on their servers by passing shell commands.
This PR changes all "shell commands" to use Node child_process.execFileSync, which can only invoke specific executables with an array of arguments, rather than passing a full string to a shell to be evaluated.
Changes
run()to useexecFileSyncrun()certificateForwith a (fairly permissive) regular expression limiting them to legal domain name charsFixes
Currently the
run()command inutils.jsdoes not sanitize its input, and other modules invokerun()with string-concatenated arguments including user input.A downstream dependency that uses
devcertwith public input might unwittingly permit remote execution on their servers by passing shell commands.This PR changes all "shell commands" to use Node child_process.execFileSync, which can only invoke specific executables with an array of arguments, rather than passing a full string to a shell to be evaluated.