Skip to content
This repository was archived by the owner on Jan 10, 2023. It is now read-only.

[CE-1330] Escaping args #167

Merged
drazisil merged 2 commits into from
Feb 4, 2020
Merged

[CE-1330] Escaping args #167

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d9a378f
Escaping args
drazisil Feb 4, 2020
2c7ec24
Removing .vscode, commited in error.
drazisil Feb 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,4 @@ node_modules

lib-cov/
coverage.json
.vs-code
16 changes: 10 additions & 6 deletions lib/codecov.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ var urlgrey = require('urlgrey')
var jsYaml = require('js-yaml')
var walk = require('ignore-walk')
var execSync = require('child_process').execSync
var validator = require('validator')
Copy link
Copy Markdown

@hootener hootener Feb 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm unsure what benefits validator provides. But would it be worthwhile to keep it, and call it in your sanitizeVar function before the "&" removal step? Off the cuff, something like:

function sanitizeVar(arg) {
  arg = validator.escape(arg)
  return arg.replace(/&/g, '')
}

Copy link
Copy Markdown
Contributor Author

@drazisil drazisil Feb 4, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Validator was added with the last patch. It also escaped / which makes actual paths very unhappy.


var detectProvider = require('./detect')

Expand Down Expand Up @@ -394,13 +393,13 @@ var upload = function(args, on_success, on_failure) {
if (!isWindows) {
gcov =
'find ' +
(args.options['gcov-root'] || root) +
(sanitizeVar(args.options['gcov-root']) || root) +
" -type f -name '*.gcno' " +
gcg +
' -exec ' +
(validator.escape(args.options['gcov-exec']) || 'gcov') +
(sanitizeVar(args.options['gcov-exec']) || 'gcov') +
' ' +
(validator.escape(args.options['gcov-args']) || '') +
(sanitizeVar(args.options['gcov-args']) || '') +
' {} +'
} else {
// @TODO support for root
Expand All @@ -409,9 +408,9 @@ var upload = function(args, on_success, on_failure) {
'for /f "delims=" %g in (\'dir /a-d /b /s *.gcno ' +
gcg +
"') do " +
(args.options['gcov-exec'] || 'gcov') +
(sanitizeVar(args.options['gcov-exec']) || 'gcov') +
' ' +
(args.options['gcov-args'] || '') +
(sanitizeVar(args.options['gcov-args']) || '') +
' %g'
}
debug.push(gcov)
Expand Down Expand Up @@ -556,7 +555,12 @@ var upload = function(args, on_success, on_failure) {
}
}

function sanitizeVar(arg) {
return arg.replace(/&/g, '')
}

module.exports = {
sanitizeVar: sanitizeVar,
upload: upload,
version: version,
sendToCodecovV2: sendToCodecovV2,
Expand Down
5 changes: 0 additions & 5 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,7 @@
"ignore-walk": "3.0.3",
"js-yaml": "3.13.1",
"teeny-request": "6.0.1",
"urlgrey": "0.4.4",
"validator": "12.2.0"
"urlgrey": "0.4.4"
},
"devDependencies": {
"eslint": "^5.16.0",
Expand Down
6 changes: 6 additions & 0 deletions test/index.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,4 +276,10 @@ describe('Codecov', function() {
expect(res.query.yaml).toBe(process.cwd() + '/foo.yml')
mockFs.restore()
})

it('can sanitize inputs', function() {
expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
'real run unsafe command'
)
})
})