|
1 | | -import { existsSync, mkdirSync, readFileSync, readdirSync } from "node:fs"; |
2 | | -import { basename, resolve } from "node:path"; |
3 | 1 | import { spawnSync } from "node:child_process"; |
| 2 | +import { existsSync, mkdirSync, readdirSync, readFileSync } from "node:fs"; |
| 3 | +import { basename, resolve } from "node:path"; |
4 | 4 | import process from "node:process"; |
5 | 5 |
|
6 | 6 | /** |
@@ -143,20 +143,33 @@ export function safeSpawnSync(command, args = [], options = {}) { |
143 | 143 | const allowedCommands = normalizeAllowedCommands(options.allowedCommands); |
144 | 144 | const commandName = basename(command); |
145 | 145 |
|
146 | | - if (allowedCommands && !allowedCommands.has(command) && !allowedCommands.has(commandName)) { |
| 146 | + if ( |
| 147 | + allowedCommands && |
| 148 | + !allowedCommands.has(command) && |
| 149 | + !allowedCommands.has(commandName) |
| 150 | + ) { |
147 | 151 | return { |
148 | 152 | status: 1, |
149 | 153 | stdout: options.encoding === "buffer" ? Buffer.alloc(0) : "", |
150 | | - stderr: options.encoding === "buffer" ? Buffer.from("Command blocked by allowlist") : "Command blocked by allowlist", |
| 154 | + stderr: |
| 155 | + options.encoding === "buffer" |
| 156 | + ? Buffer.from("Command blocked by allowlist") |
| 157 | + : "Command blocked by allowlist", |
151 | 158 | error: new Error(`Command blocked by allowlist: ${command}`), |
152 | 159 | }; |
153 | 160 | } |
154 | 161 |
|
155 | | - if (options.shell === true && isWindowsShellHijackRisk(command, options.cwd)) { |
| 162 | + if ( |
| 163 | + options.shell === true && |
| 164 | + isWindowsShellHijackRisk(command, options.cwd) |
| 165 | + ) { |
156 | 166 | return { |
157 | 167 | status: 1, |
158 | 168 | stdout: options.encoding === "buffer" ? Buffer.alloc(0) : "", |
159 | | - stderr: options.encoding === "buffer" ? Buffer.from("Blocked potential Windows shell hijack") : "Blocked potential Windows shell hijack", |
| 169 | + stderr: |
| 170 | + options.encoding === "buffer" |
| 171 | + ? Buffer.from("Blocked potential Windows shell hijack") |
| 172 | + : "Blocked potential Windows shell hijack", |
160 | 173 | error: new Error("Blocked potential Windows shell hijack"), |
161 | 174 | }; |
162 | 175 | } |
@@ -184,11 +197,14 @@ export function safeSpawnSync(command, args = [], options = {}) { |
184 | 197 | */ |
185 | 198 | function normalizeAllowedCommands(allowedCommands) { |
186 | 199 | if (Array.isArray(allowedCommands) && allowedCommands.length > 0) { |
187 | | - return new Set(allowedCommands.map((entry) => entry.trim()).filter(Boolean)); |
| 200 | + return new Set( |
| 201 | + allowedCommands.map((entry) => entry.trim()).filter(Boolean), |
| 202 | + ); |
188 | 203 | } |
189 | 204 |
|
190 | 205 | const envValue = |
191 | | - process.env.CDX_HBOM_ALLOWED_COMMANDS ?? process.env.CDXGEN_ALLOWED_COMMANDS; |
| 206 | + process.env.CDX_HBOM_ALLOWED_COMMANDS ?? |
| 207 | + process.env.CDXGEN_ALLOWED_COMMANDS; |
192 | 208 |
|
193 | 209 | if (!envValue) { |
194 | 210 | return null; |
@@ -220,7 +236,12 @@ function isWindowsShellHijackRisk(command, cwd) { |
220 | 236 | .filter(Boolean) |
221 | 237 | .map((extension) => extension.toLowerCase()); |
222 | 238 | const cwdPath = resolve(cwd); |
223 | | - const candidates = [candidateBase, ...pathExt.map((extension) => `${candidateBase}${extension}`)]; |
| 239 | + const candidates = [ |
| 240 | + candidateBase, |
| 241 | + ...pathExt.map((extension) => `${candidateBase}${extension}`), |
| 242 | + ]; |
224 | 243 |
|
225 | | - return candidates.some((candidate) => safeExistsSync(resolve(cwdPath, candidate))); |
| 244 | + return candidates.some((candidate) => |
| 245 | + safeExistsSync(resolve(cwdPath, candidate)), |
| 246 | + ); |
226 | 247 | } |
0 commit comments