diff --git a/nvm.sh b/nvm.sh index 9319521f5d..b2af93c3ae 100644 --- a/nvm.sh +++ b/nvm.sh @@ -2023,14 +2023,25 @@ nvm_is_merged_node_version() { } nvm_get_mirror() { + local NVM_MIRROR + NVM_MIRROR='' case "${1}-${2}" in - node-std) nvm_echo "${NVM_NODEJS_ORG_MIRROR:-https://nodejs.org/dist}" ;; - iojs-std) nvm_echo "${NVM_IOJS_ORG_MIRROR:-https://iojs.org/dist}" ;; + node-std) NVM_MIRROR="${NVM_NODEJS_ORG_MIRROR:-https://nodejs.org/dist}" ;; + iojs-std) NVM_MIRROR="${NVM_IOJS_ORG_MIRROR:-https://iojs.org/dist}" ;; *) nvm_err 'unknown type of node.js or io.js release' return 1 ;; esac + + case "${NVM_MIRROR}" in + *\`* | *\\* | *\'* | *\(* ) + nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL' + return 2 + ;; + esac + + nvm_echo "${NVM_MIRROR}" } # args: os, prefixed version, version, tarball, extract directory diff --git a/test/fast/Unit tests/nvm_get_mirror b/test/fast/Unit tests/nvm_get_mirror index 8d4b1928bb..ccbb0e7385 100755 --- a/test/fast/Unit tests/nvm_get_mirror +++ b/test/fast/Unit tests/nvm_get_mirror @@ -30,3 +30,11 @@ unset NVM_NODEJS_ORG_MIRROR NVM_IOJS_ORG_MIRROR="test://domain" [ "$(nvm_get_mirror iojs std)" = "test://domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR" unset NVM_IOJS_ORG_MIRROR + +NVM_NODEJS_ORG_MIRROR='`do something bad`' +! nvm_get_mirror node std || die 'NVM_NODEJS_ORG_MIRROR errors with command injection attempt' +[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection' + +NVM_IOJS_ORG_MIRROR='`do something bad`' +! nvm_get_mirror iojs std || die 'NVM_IOJS_ORG_MIRROR errors with command injection attempt' +[ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection' \ No newline at end of file