Merge branch 'EvolutionAPI:develop' into develop

neocol83 · web-flow · commit ebe2c70b9f3b · 2025-04-08T16:18:24.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# 2.2.4 (hotfix)
+
+### Fixed
+
+* Shell injection vulnerability
+
 # 2.2.3 (2025-02-03 11:52)
 
 ### Fixed
diff --git a/src/api/integrations/storage/s3/libs/minio.server.ts b/src/api/integrations/storage/s3/libs/minio.server.ts
@@ -63,9 +63,9 @@ const createBucket = async () => {
       if (!exists) {
         await minioClient.makeBucket(bucketName);
       }
-
-      await setBucketPolicy();
-
+      if (!BUCKET.SKIP_POLICY) {
+        await setBucketPolicy();
+      }
       logger.info(`S3 Bucket ${bucketName} - ON`);
       return true;
     } catch (error) {
diff --git a/src/api/provider/sessions.ts b/src/api/provider/sessions.ts
@@ -1,7 +1,7 @@
 import { Auth, ConfigService, ProviderSession } from '@config/env.config';
 import { Logger } from '@config/logger.config';
 import axios from 'axios';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 
 type ResponseSuccess = { status: number; data?: any };
 type ResponseProvider = Promise<[ResponseSuccess?, Error?]>;
@@ -36,7 +36,7 @@ export class ProviderFiles {
       } catch (error) {
         this.logger.error(['Failed to connect to the file server', error?.message, error?.stack]);
         const pid = process.pid;
-        execSync(`kill -9 ${pid}`);
+        execFileSync('kill', ['-9', `${pid}`]);
       }
     }
   }
diff --git a/src/api/services/monitor.service.ts b/src/api/services/monitor.service.ts
@@ -7,7 +7,7 @@ import { CacheConf, Chatwoot, ConfigService, Database, DelInstance, ProviderSess
 import { Logger } from '@config/logger.config';
 import { INSTANCE_DIR, STORE_DIR } from '@config/path.config';
 import { NotFoundException } from '@exceptions';
-import { execSync } from 'child_process';
+import { execFileSync } from 'child_process';
 import EventEmitter2 from 'eventemitter2';
 import { rmSync } from 'fs';
 import { join } from 'path';
@@ -169,7 +169,8 @@ export class WAMonitoringService {
 
   public async cleaningStoreData(instanceName: string) {
     if (this.configService.get<Chatwoot>('CHATWOOT').ENABLED) {
-      execSync(`rm -rf ${join(STORE_DIR, 'chatwoot', instanceName + '*')}`);
+      const instancePath = join(STORE_DIR, 'chatwoot', instanceName);
+      execFileSync('rm', ['-rf', instancePath]);
     }
 
     const instance = await this.prismaRepository.instance.findFirst({
diff --git a/src/config/env.config.ts b/src/config/env.config.ts
@@ -277,6 +277,7 @@ export type S3 = {
   PORT?: number;
   USE_SSL?: boolean;
   REGION?: string;
+  SKIP_POLICY?: boolean;
 };
 
 export type CacheConf = { REDIS: CacheConfRedis; LOCAL: CacheConfLocal };
@@ -635,6 +636,7 @@ export class ConfigService {
         PORT: Number.parseInt(process.env?.S3_PORT || '9000'),
         USE_SSL: process.env?.S3_USE_SSL === 'true',
         REGION: process.env?.S3_REGION,
+        SKIP_POLICY: process.env?.S3_SKIP_POLICY === 'true',
       },
       AUTHENTICATION: {
         API_KEY: {

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`import { Auth, ConfigService, ProviderSession } from '@config/env.config';`
`2`	`2`	`import { Logger } from '@config/logger.config';`
`3`	`3`	`import axios from 'axios';`
`4`		`-import { execSync } from 'child_process';`
	`4`	`+import { execFileSync } from 'child_process';`
`5`	`5`
`6`	`6`	`type ResponseSuccess = { status: number; data?: any };`
`7`	`7`	`type ResponseProvider = Promise<[ResponseSuccess?, Error?]>;`
`@@ -36,7 +36,7 @@ export class ProviderFiles {`
`36`	`36`	`} catch (error) {`
`37`	`37`	`this.logger.error(['Failed to connect to the file server', error?.message, error?.stack]);`
`38`	`38`	`const pid = process.pid;`
`39`		- execSync(`kill -9 ${pid}`);
	`39`	+ execFileSync('kill', ['-9', `${pid}`]);
`40`	`40`	`}`
`41`	`41`	`}`
`42`	`42`	`}`