patch: fixes possible injection issue for notify-send

Author: mikaelbr

lib/utils.js

@@ -313,7 +313,9 @@ module.exports.constructArgumentList = function (options, extra) {
   };
 
   initial.forEach(function (val) {
-    args.push(escapeFn(val));
+    if (typeof val === 'string') {
+      args.push(escapeFn(val));
+    }
   });
   for (var key in options) {
     if (

test/notify-send.js

@@ -70,6 +70,17 @@ describe('notify-send', function () {
     notifier.notify({ message: 'some\n "me\'ss`age`"' });
   });
 
+  it.only('should only include strings as arguments', function (done) {
+    var expected = ['"HACKED"', '--expire-time', '"10000"'];
+
+    expectArgsListToBe(expected, done);
+    var notifier = new Notify({ suppressOsdCheck: true });
+    var options = JSON.parse(
+      '{"title":"HACKED", "message":["`touch HACKED`"]}'
+    );
+    notifier.notify(options);
+  });
+
   it('should send additional parameters as --"keyname"', function (done) {
     var expected = [
       '"title"',