Skip to content

Commit 2cdb290

Browse files
mikaelbrmikaelbr
committed
patch: fixes security issue with non-escaping inputs [GHSL-2020-373]
1 parent 93fa026 commit 2cdb290

File tree

3 files changed

+22
-15
lines changed

3 files changed

+22
-15
lines changed

lib/utils.js

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -270,9 +270,9 @@ module.exports.constructArgumentList = function(options, extra) {
270270
var keepNewlines = !!extra.keepNewlines;
271271
var wrapper = extra.wrapper === void 0 ? '"' : extra.wrapper;
272272

273-
var escapeFn = function(arg) {
273+
var escapeFn = function escapeFn(arg) {
274274
if (isArray(arg)) {
275-
return removeNewLines(arg.join(','));
275+
return removeNewLines(arg.map(escapeFn).join(','));
276276
}
277277

278278
if (!noEscape) {
@@ -285,9 +285,7 @@ module.exports.constructArgumentList = function(options, extra) {
285285
};
286286

287287
initial.forEach(function(val) {
288-
if (typeof val === 'string') {
289-
args.push(escapeFn(val));
290-
}
288+
args.push(escapeFn(val));
291289
});
292290
for (var key in options) {
293291
if (

test/notify-send.js

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -63,23 +63,32 @@ describe('notify-send', function() {
6363
notifier.notify({ message: 'some\n "me\'ss`age`"' });
6464
});
6565

66-
it('should send additional parameters as --"keyname"', function(done) {
67-
var expected = ['"title"', '"body"', '--icon', '"icon-string"'];
66+
it('should escape array items as normal items', function(done) {
67+
var expected = [
68+
'"Hacked"',
69+
'"\\`touch HACKED\\`"',
70+
'--category',
71+
'"foo\\`touch exploit\\`"'
72+
];
6873

6974
expectArgsListToBe(expected, done);
7075
var notifier = new Notify({ suppressOsdCheck: true });
71-
notifier.notify({ title: 'title', message: 'body', icon: 'icon-string' });
76+
var options = JSON.parse(
77+
`{
78+
"title": "Hacked",
79+
"message":["\`touch HACKED\`"],
80+
"category": ["foo\`touch exploit\`"]
81+
}`
82+
);
83+
notifier.notify(options);
7284
});
7385

74-
it('should only include strings as arguments', function(done) {
75-
var expected = ['"HACKED"'];
86+
it('should send additional parameters as --"keyname"', function(done) {
87+
var expected = ['"title"', '"body"', '--icon', '"icon-string"'];
7688

7789
expectArgsListToBe(expected, done);
7890
var notifier = new Notify({ suppressOsdCheck: true });
79-
var options = JSON.parse(
80-
'{"title":"HACKED", "message":["`touch HACKED`"]}'
81-
);
82-
notifier.notify(options);
91+
notifier.notify({ title: 'title', message: 'body', icon: 'icon-string' });
8392
});
8493

8594
it('should remove extra options that are not supported by notify-send', function(done) {

test/terminal-notifier.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -211,7 +211,7 @@ describe('terminal-notifier', function() {
211211
'-message',
212212
'"body \\"message\\""',
213213
'-actions',
214-
'foo,bar,baz "foo" bar',
214+
'"foo","bar","baz \\"foo\\" bar"',
215215
'-json',
216216
'"true"'
217217
];

0 commit comments

Comments
 (0)