From b1fa143dd8cbebd9847972c08fb383646ca00642 Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Sat, 2 Dec 2023 14:44:46 -0800
Subject: [PATCH] [Fix] `nvm_get_mirror`: ensure only a valid URL is allowed

---
 nvm.sh                              |  8 +++++++-
 test/fast/Unit tests/nvm_get_mirror | 27 +++++++++++++++++----------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/nvm.sh b/nvm.sh
index aa9afad..be5b34d 100644
--- a/nvm.sh
+++ b/nvm.sh
@@ -2035,12 +2035,18 @@ nvm_get_mirror() {
   esac
 
   case "${NVM_MIRROR}" in
-    *\`* | *\\* | *\'* | *\(* )
+    *\`* | *\\* | *\'* | *\(* | *' '* )
       nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
       return 2
     ;;
   esac
 
+
+  if ! nvm_echo "${NVM_MIRROR}" | command awk '{ $0 ~ "^https?://[a-zA-Z0-9./_-]+$" }'; then
+      nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
+      return 2
+  fi
+
   nvm_echo "${NVM_MIRROR}"
 }
 
diff --git a/test/fast/Unit tests/nvm_get_mirror b/test/fast/Unit tests/nvm_get_mirror
index 1980f38..201a0ee 100755
--- a/test/fast/Unit tests/nvm_get_mirror	
+++ b/test/fast/Unit tests/nvm_get_mirror	
@@ -23,18 +23,25 @@ set -e
 [ "$(nvm_get_mirror node std)" = "https://nodejs.org/dist" ] || die "incorrect default node-std mirror"
 [ "$(nvm_get_mirror iojs std)" = "https://iojs.org/dist" ] || die "incorrect default iojs-std mirror"
 
-NVM_NODEJS_ORG_MIRROR="test://domain"
-[ "$(nvm_get_mirror node std)" = "test://domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR"
+NVM_NODEJS_ORG_MIRROR="https://test-domain"
+[ "$(nvm_get_mirror node std)" = "https://test-domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR"
 unset NVM_NODEJS_ORG_MIRROR
 
-NVM_IOJS_ORG_MIRROR="test://domain"
-[ "$(nvm_get_mirror iojs std)" = "test://domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR"
+NVM_IOJS_ORG_MIRROR="https://test-domain"
+[ "$(nvm_get_mirror iojs std)" = "https://test-domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR"
 unset NVM_IOJS_ORG_MIRROR
 
-NVM_NODEJS_ORG_MIRROR='`do something bad`'
-! nvm_get_mirror node std || die 'NVM_NODEJS_ORG_MIRROR errors with command injection attempt'
-[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection'
+testMirrors() {
+  NVM_NODEJS_ORG_MIRROR="${1-}"
+  ! nvm_get_mirror node std || die "NVM_NODEJS_ORG_MIRROR errors with command injection attempt (${1-})"
+  [ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection'
 
-NVM_IOJS_ORG_MIRROR='`do something bad`'
-! nvm_get_mirror iojs std || die 'NVM_IOJS_ORG_MIRROR errors with command injection attempt'
-[ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection'
+  NVM_IOJS_ORG_MIRROR="${1-}"
+  ! nvm_get_mirror iojs std || die "NVM_IOJS_ORG_MIRROR errors with command injection attempt (${1-})"
+  [ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection'
+}
+
+testMirrors '`do something bad`'
+testMirrors 'https://nodejs.org/dist; xdg-open http://www.google.com;'
+testMirrors 'https://nodejs.org/dist&&xdg-open http://www.google.com;'
+testMirrors 'https://nodejs.org/dist|xdg-open http://www.google.com;'