Skip to content
This repository has been archived by the owner on Jan 10, 2023. It is now read-only.

Commit

Permalink
[CE-1330] Escaping args (#167)
Browse files Browse the repository at this point in the history 
* Escaping args
  • Loading branch information
@drazisil
drazisil committed Feb 4, 2020
1 parent bac0787 commit 02cf13d
Show file tree
Hide file tree
Showing 5 changed files with 18 additions and 13 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Expand Up @@ -27,3 +27,4 @@ node_modules

lib-cov/
coverage.json
.vs-code
16 changes: 10 additions & 6 deletions lib/codecov.js
View file
Expand Up @@ -5,7 +5,6 @@ var urlgrey = require('urlgrey')
var jsYaml = require('js-yaml')
var walk = require('ignore-walk')
var execSync = require('child_process').execSync
var validator = require('validator')

var detectProvider = require('./detect')

Expand Down Expand Up @@ -394,13 +393,13 @@ var upload = function(args, on_success, on_failure) {
if (!isWindows) {
gcov =
'find ' +
(args.options['gcov-root'] || root) +
(sanitizeVar(args.options['gcov-root']) || root) +
" -type f -name '*.gcno' " +
gcg +
' -exec ' +
(validator.escape(args.options['gcov-exec']) || 'gcov') +
(sanitizeVar(args.options['gcov-exec']) || 'gcov') +
' ' +
(validator.escape(args.options['gcov-args']) || '') +
(sanitizeVar(args.options['gcov-args']) || '') +
' {} +'
} else {
// @TODO support for root
Expand All @@ -409,9 +408,9 @@ var upload = function(args, on_success, on_failure) {
'for /f "delims=" %g in (\'dir /a-d /b /s *.gcno ' +
gcg +
"') do " +
(args.options['gcov-exec'] || 'gcov') +
(sanitizeVar(args.options['gcov-exec']) || 'gcov') +
' ' +
(args.options['gcov-args'] || '') +
(sanitizeVar(args.options['gcov-args']) || '') +
' %g'
}
debug.push(gcov)
Expand Down Expand Up @@ -556,7 +555,12 @@ var upload = function(args, on_success, on_failure) {
}
}

function sanitizeVar(arg) {
return arg.replace(/&/g, '')
}

module.exports = {
sanitizeVar: sanitizeVar,
upload: upload,
version: version,
sendToCodecovV2: sendToCodecovV2,
Expand Down
5 changes: 0 additions & 5 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions package.json
View file
Expand Up @@ -35,8 +35,7 @@
"ignore-walk": "3.0.3",
"js-yaml": "3.13.1",
"teeny-request": "6.0.1",
"urlgrey": "0.4.4",
"validator": "12.2.0"
"urlgrey": "0.4.4"
},
"devDependencies": {
"eslint": "^5.16.0",
Expand Down
6 changes: 6 additions & 0 deletions test/index.test.js
View file
Expand Up @@ -276,4 +276,10 @@ describe('Codecov', function() {
expect(res.query.yaml).toBe(process.cwd() + '/foo.yml')
mockFs.restore()
})

it('can sanitize inputs', function() {
expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
'real run unsafe command'
)
})
})

0 comments on commit 02cf13d

Please sign in to comment.