Skip to content

Commit

Permalink
Fix potential command injection vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
pahen committed Mar 5, 2021
1 parent c0600c4 commit da5cbc9
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 14 deletions.
21 changes: 8 additions & 13 deletions lib/graph.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ const path = require('path');
const {promisify} = require('util');
const graphviz = require('graphviz');

const exec = promisify(require('child_process').exec);
const exec = promisify(require('child_process').execFile);
const writeFile = promisify(require('fs').writeFile);

/**
Expand All @@ -22,19 +22,14 @@ function setNodeColor(node, color) {
* @param {Object} config
* @return {Promise}
*/
function checkGraphvizInstalled(config) {
if (config.graphVizPath) {
const cmd = path.join(config.graphVizPath, 'gvpr -V');
return exec(cmd)
.catch(() => {
throw new Error('Could not execute ' + cmd);
});
}
async function checkGraphvizInstalled(config) {
const cmd = config.graphVizPath ? path.join(config.graphVizPath, 'gvpr') : 'gvpr';

return exec('gvpr -V')
.catch((error) => {
throw new Error('Graphviz could not be found. Ensure that "gvpr" is in your $PATH.\n' + error);
});
try {
await exec(cmd, ['-V']);
} catch (err) {
throw new Error(`Graphviz could not be found. Ensure that "gvpr" is in your $PATH. ${err}`);
}
}

/**
Expand Down
2 changes: 1 addition & 1 deletion test/api.js
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ describe('API', () => {
madge(__dirname + '/cjs/a.js', {graphVizPath: '/invalid/path'})
.then((res) => res.image('image.png'))
.catch((err) => {
err.message.should.match(/Could not execute .*gvpr \-V/);
err.message.should.eql('Graphviz could not be found. Ensure that "gvpr" is in your $PATH. Error: spawn /invalid/path/gvpr ENOENT');
done();
});
});
Expand Down

0 comments on commit da5cbc9

Please sign in to comment.