273345896
/
nvm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Fix] `nvm_get_mirror`: ensure only a valid URL is allowed

Jordan Harband 2023-12-02 14:44:46 -08:00
parent cc765cc000
commit b1fa143dd8
No known key found for this signature in database
GPG Key ID: 9F6A681E35EF8B56
2 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nvm.sh
View File

@ -2035,12 +2035,18 @@ nvm_get_mirror() {
esac esac
case "${NVM_MIRROR}" in case "${NVM_MIRROR}" in
*\`* | *\\* | *\'* | *\(* ) *\`* | *\\* | *\'* | *\(* | *' '* )
nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL' nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
return 2 return 2
;; ;;
esac esac
if ! nvm_echo "${NVM_MIRROR}" | command awk '{ $0 ~ "^https?://[a-zA-Z0-9./_-]+$" }'; then
nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
return 2
fi
nvm_echo "${NVM_MIRROR}" nvm_echo "${NVM_MIRROR}"
} }

27
test/fast/Unit tests/nvm_get_mirror
View File

@ -23,18 +23,25 @@ set -e
[ "$(nvm_get_mirror node std)" = "https://nodejs.org/dist" ] || die "incorrect default node-std mirror" [ "$(nvm_get_mirror node std)" = "https://nodejs.org/dist" ] || die "incorrect default node-std mirror"
[ "$(nvm_get_mirror iojs std)" = "https://iojs.org/dist" ] || die "incorrect default iojs-std mirror" [ "$(nvm_get_mirror iojs std)" = "https://iojs.org/dist" ] || die "incorrect default iojs-std mirror"
NVM_NODEJS_ORG_MIRROR="test://domain" NVM_NODEJS_ORG_MIRROR="https://test-domain"
[ "$(nvm_get_mirror node std)" = "test://domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR" [ "$(nvm_get_mirror node std)" = "https://test-domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR"
unset NVM_NODEJS_ORG_MIRROR unset NVM_NODEJS_ORG_MIRROR
NVM_IOJS_ORG_MIRROR="test://domain" NVM_IOJS_ORG_MIRROR="https://test-domain"
[ "$(nvm_get_mirror iojs std)" = "test://domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR" [ "$(nvm_get_mirror iojs std)" = "https://test-domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR"
unset NVM_IOJS_ORG_MIRROR unset NVM_IOJS_ORG_MIRROR
NVM_NODEJS_ORG_MIRROR='`do something bad`' testMirrors() {
! nvm_get_mirror node std || die 'NVM_NODEJS_ORG_MIRROR errors with command injection attempt' NVM_NODEJS_ORG_MIRROR="${1-}"
[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection' ! nvm_get_mirror node std || die "NVM_NODEJS_ORG_MIRROR errors with command injection attempt (${1-})"
[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection'
NVM_IOJS_ORG_MIRROR='`do something bad`' NVM_IOJS_ORG_MIRROR="${1-}"
! nvm_get_mirror iojs std || die 'NVM_IOJS_ORG_MIRROR errors with command injection attempt' ! nvm_get_mirror iojs std || die "NVM_IOJS_ORG_MIRROR errors with command injection attempt (${1-})"
[ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection' [ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection'
}
testMirrors '`do something bad`'
testMirrors 'https://nodejs.org/dist; xdg-open http://www.google.com;'
testMirrors 'https://nodejs.org/dist&&xdg-open http://www.google.com;'
testMirrors 'https://nodejs.org/dist|xdg-open http://www.google.com;'