Commit 75ca0f6
committed
fix(auth): replace exec() with execFile/spawn to prevent shell injection (#79)
src/auth/oauth.ts passed the OAuth authorization URL directly to exec():
exec(`${openCmd} "${authUrl}"`)
exec() passes the string to a shell (/bin/sh on Unix, cmd.exe on Windows).
A crafted authorization URL containing shell metacharacters (e.g. from a
malicious or tampered authorization server redirect) could execute arbitrary
commands on the user's machine.
Fix: replace exec() with execFile() on macOS/Linux (which bypasses the shell
entirely) and spawn() on Windows (since 'start' is a shell built-in that
requires cmd.exe, spawned with shell:false and an explicit empty title arg
to prevent argument injection).
Closes part of #791 parent 813ff4c commit 75ca0f6
1 file changed
Lines changed: 13 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
48 | | - | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
49 | 52 | | |
50 | | - | |
51 | | - | |
52 | 53 | | |
53 | | - | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
54 | 62 | | |
55 | 63 | | |
56 | 64 | | |
| |||
0 commit comments