From 760699354e7c2fd0f8c03ce5c0be90605871f033 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 11:35:41 +0200 Subject: [PATCH 01/11] Fix nodejs breaking change CVE-2024-27980 --- src/test/package.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/package.test.ts b/src/test/package.test.ts index df63dd5e..ae3e62a7 100644 --- a/src/test/package.test.ts +++ b/src/test/package.test.ts @@ -2940,7 +2940,7 @@ describe('version', function () { const fixtureFolder = fixture('vsixmanifest'); let cwd: string; - const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8' }); + const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8', shell: true }); beforeEach(() => { dir = tmp.dirSync({ unsafeCleanup: true }); From af842a2495f26c9f7d7418669221b134a4711d08 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 14:36:35 +0200 Subject: [PATCH 02/11] validate commit messages for version bump --- package-lock.json | 29 ++++++++++++++++++++++++++++- package.json | 2 ++ src/package.ts | 9 ++++++--- 3 files changed, 36 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 33d1588c..992e5318 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,6 +25,7 @@ "parse-semver": "^1.1.1", "read": "^1.0.7", "semver": "^7.5.2", + "shell-quote": "^1.8.1", "tmp": "^0.2.1", "typed-rest-client": "^1.8.4", "url-join": "^4.0.1", @@ -44,9 +45,10 @@ "@types/mime": "^1", "@types/minimatch": "^3.0.3", "@types/mocha": "^7.0.2", - "@types/node": "^16.0.0", + "@types/node": "^16.11.7", "@types/read": "^0.0.28", "@types/semver": "^6.0.0", + "@types/shell-quote": "^1.7.5", "@types/tmp": "^0.2.2", "@types/url-join": "^4.0.1", "@types/xml2js": "^0.4.4", @@ -358,6 +360,12 @@ "integrity": "sha1-hrqJ8CpBTjnGjQKzUYcuTtMb13M= sha512-OO0srjOGH99a4LUN2its3+r6CBYcplhJ466yLqs+zvAWgphCpS8hYZEZ797tRDP/QKcqTdb/YCN6ifASoAWkrQ==", "dev": true }, + "node_modules/@types/shell-quote": { + "version": "1.7.5", + "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz", + "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==", + "dev": true + }, "node_modules/@types/tmp": { "version": "0.2.2", "resolved": "https://registry.npmjs.org/@types/tmp/-/tmp-0.2.2.tgz", @@ -2339,6 +2347,14 @@ "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", "optional": true }, + "node_modules/shell-quote": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.1.tgz", + "integrity": "sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, "node_modules/side-channel": { "version": "1.0.4", "resolved": "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.4.tgz", @@ -3242,6 +3258,12 @@ "integrity": "sha1-hrqJ8CpBTjnGjQKzUYcuTtMb13M= sha512-OO0srjOGH99a4LUN2its3+r6CBYcplhJ466yLqs+zvAWgphCpS8hYZEZ797tRDP/QKcqTdb/YCN6ifASoAWkrQ==", "dev": true }, + "@types/shell-quote": { + "version": "1.7.5", + "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz", + "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==", + "dev": true + }, "@types/tmp": { "version": "0.2.2", "resolved": "https://registry.npmjs.org/@types/tmp/-/tmp-0.2.2.tgz", @@ -4736,6 +4758,11 @@ "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", "optional": true }, + "shell-quote": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.1.tgz", + "integrity": "sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==" + }, "side-channel": { "version": "1.0.4", "resolved": "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.4.tgz", diff --git a/package.json b/package.json index 5106e40e..690c331a 100644 --- a/package.json +++ b/package.json @@ -54,6 +54,7 @@ "parse-semver": "^1.1.1", "read": "^1.0.7", "semver": "^7.5.2", + "shell-quote": "^1.8.1", "tmp": "^0.2.1", "typed-rest-client": "^1.8.4", "url-join": "^4.0.1", @@ -73,6 +74,7 @@ "@types/node": "^16.11.7", "@types/read": "^0.0.28", "@types/semver": "^6.0.0", + "@types/shell-quote": "^1.7.5", "@types/tmp": "^0.2.2", "@types/url-join": "^4.0.1", "@types/xml2js": "^0.4.4", diff --git a/src/package.ts b/src/package.ts index a744c46e..986ceb7b 100644 --- a/src/package.ts +++ b/src/package.ts @@ -24,6 +24,7 @@ import { detectYarn, getDependencies } from './npm'; import * as GitHost from 'hosted-git-info'; import parseSemver from 'parse-semver'; import * as jsonc from 'jsonc-parser'; +import { quote } from 'shell-quote'; const MinimatchOptions: minimatch.IOptions = { dot: true }; @@ -399,15 +400,17 @@ export async function versionBump(options: IVersionBumpOptions): Promise { const args = ['version', options.version]; if (options.commitMessage) { - args.push('-m', options.commitMessage); + // Validate commit message due to possible shell injection on windows + const validatedCommitMessage = quote([options.commitMessage]); + args.push('-m', validatedCommitMessage); } if (!(options.gitTagVersion ?? true)) { args.push('--no-git-tag-version'); } - const { stdout, stderr } = await promisify(cp.execFile)(process.platform === 'win32' ? 'npm.cmd' : 'npm', args, { cwd }); - + const isWindows = process.platform === 'win32'; + const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ }); if (!process.env['VSCE_TESTS']) { process.stdout.write(stdout); process.stderr.write(stderr); From 3e93e3f19b5bfc8c199650eb0b561d3cef2293c7 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 15:29:33 +0200 Subject: [PATCH 03/11] Properly sanitize message --- package-lock.json | 29 +---------------------------- package.json | 2 -- src/package.ts | 38 ++++++++++++++++++++++++++++++++++---- src/test/package.test.ts | 5 +++-- 4 files changed, 38 insertions(+), 36 deletions(-) diff --git a/package-lock.json b/package-lock.json index 992e5318..33d1588c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,7 +25,6 @@ "parse-semver": "^1.1.1", "read": "^1.0.7", "semver": "^7.5.2", - "shell-quote": "^1.8.1", "tmp": "^0.2.1", "typed-rest-client": "^1.8.4", "url-join": "^4.0.1", @@ -45,10 +44,9 @@ "@types/mime": "^1", "@types/minimatch": "^3.0.3", "@types/mocha": "^7.0.2", - "@types/node": "^16.11.7", + "@types/node": "^16.0.0", "@types/read": "^0.0.28", "@types/semver": "^6.0.0", - "@types/shell-quote": "^1.7.5", "@types/tmp": "^0.2.2", "@types/url-join": "^4.0.1", "@types/xml2js": "^0.4.4", @@ -360,12 +358,6 @@ "integrity": "sha1-hrqJ8CpBTjnGjQKzUYcuTtMb13M= sha512-OO0srjOGH99a4LUN2its3+r6CBYcplhJ466yLqs+zvAWgphCpS8hYZEZ797tRDP/QKcqTdb/YCN6ifASoAWkrQ==", "dev": true }, - "node_modules/@types/shell-quote": { - "version": "1.7.5", - "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz", - "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==", - "dev": true - }, "node_modules/@types/tmp": { "version": "0.2.2", "resolved": "https://registry.npmjs.org/@types/tmp/-/tmp-0.2.2.tgz", @@ -2347,14 +2339,6 @@ "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", "optional": true }, - "node_modules/shell-quote": { - "version": "1.8.1", - "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.1.tgz", - "integrity": "sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==", - "funding": { - "url": "https://github.com/sponsors/ljharb" - } - }, "node_modules/side-channel": { "version": "1.0.4", "resolved": "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.4.tgz", @@ -3258,12 +3242,6 @@ "integrity": "sha1-hrqJ8CpBTjnGjQKzUYcuTtMb13M= sha512-OO0srjOGH99a4LUN2its3+r6CBYcplhJ466yLqs+zvAWgphCpS8hYZEZ797tRDP/QKcqTdb/YCN6ifASoAWkrQ==", "dev": true }, - "@types/shell-quote": { - "version": "1.7.5", - "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz", - "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==", - "dev": true - }, "@types/tmp": { "version": "0.2.2", "resolved": "https://registry.npmjs.org/@types/tmp/-/tmp-0.2.2.tgz", @@ -4758,11 +4736,6 @@ "integrity": "sha1-BF+XgtARrppoA93TgrJDkrPYkPc=", "optional": true }, - "shell-quote": { - "version": "1.8.1", - "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.1.tgz", - "integrity": "sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==" - }, "side-channel": { "version": "1.0.4", "resolved": "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.4.tgz", diff --git a/package.json b/package.json index 690c331a..5106e40e 100644 --- a/package.json +++ b/package.json @@ -54,7 +54,6 @@ "parse-semver": "^1.1.1", "read": "^1.0.7", "semver": "^7.5.2", - "shell-quote": "^1.8.1", "tmp": "^0.2.1", "typed-rest-client": "^1.8.4", "url-join": "^4.0.1", @@ -74,7 +73,6 @@ "@types/node": "^16.11.7", "@types/read": "^0.0.28", "@types/semver": "^6.0.0", - "@types/shell-quote": "^1.7.5", "@types/tmp": "^0.2.2", "@types/url-join": "^4.0.1", "@types/xml2js": "^0.4.4", diff --git a/src/package.ts b/src/package.ts index 986ceb7b..3fd9dc16 100644 --- a/src/package.ts +++ b/src/package.ts @@ -24,7 +24,6 @@ import { detectYarn, getDependencies } from './npm'; import * as GitHost from 'hosted-git-info'; import parseSemver from 'parse-semver'; import * as jsonc from 'jsonc-parser'; -import { quote } from 'shell-quote'; const MinimatchOptions: minimatch.IOptions = { dot: true }; @@ -400,9 +399,11 @@ export async function versionBump(options: IVersionBumpOptions): Promise { const args = ['version', options.version]; if (options.commitMessage) { - // Validate commit message due to possible shell injection on windows - const validatedCommitMessage = quote([options.commitMessage]); - args.push('-m', validatedCommitMessage); + // Sanitize commit message due to possible shell injection on windows + const sanitizedCommitMessage = sanitizeCommitMessage(options.commitMessage); + if (sanitizedCommitMessage) { + args.push('-m', sanitizedCommitMessage); + } } if (!(options.gitTagVersion ?? true)) { @@ -417,6 +418,35 @@ export async function versionBump(options: IVersionBumpOptions): Promise { } } +export function sanitizeCommitMessage(message: string): string | undefined { + // Allow alphanumeric, space, common punctuation, newline characters. + // Specifically check for characters that might escape quotes or introduce shell commands. + // Newlines are allowed, but backslashes (other than for newlines), backticks, and dollar signs are still checked. + const unsafeRegex = /(? sanitizedMessage.includes(char))) { + throw new Error('Commit message contains potentially dangerous characters after initial sanitization.'); + } + + // Make sure all backslashes are followed by 'n' to prevent shell injection + sanitizedMessage.split('').reduce((positions: number[], char: string, index: number) => { + if (char === '\\' && sanitizedMessage[index + 1] !== 'n') { + throw new Error('Commit message contains potentially dangerous characters after initial sanitization.'); + } + return positions; + }, []); + + if (sanitizedMessage.length === 0) { + return undefined; + } + + return sanitizedMessage; +} + export const Targets = new Set([ 'win32-x64', 'win32-arm64', diff --git a/src/test/package.test.ts b/src/test/package.test.ts index ae3e62a7..8c757617 100644 --- a/src/test/package.test.ts +++ b/src/test/package.test.ts @@ -13,7 +13,7 @@ import { ManifestProcessor, versionBump, VSIX, - LicenseProcessor, + LicenseProcessor } from '../package'; import { Manifest } from '../manifest'; import * as path from 'path'; @@ -25,6 +25,7 @@ import { XMLManifest, parseXmlManifest, parseContentTypes } from '../xml'; import { flatten, log } from '../util'; import { validatePublisher } from '../validation'; import * as jsonc from 'jsonc-parser'; +import { quote } from 'shell-quote'; // don't warn in tests console.warn = () => null; @@ -3007,7 +3008,7 @@ describe('version', function () { const commitMessage = 'test commit message'; await versionBump({ cwd, version: '1.1.1', commitMessage }); - assert.deepStrictEqual(git(['show', '-s', '--format=%B', 'HEAD']).stdout, `${commitMessage}\n\n`); + assert.deepStrictEqual(git(['show', '-s', '--format=%B', 'HEAD']).stdout, `${quote([commitMessage])}\n\n`); }); it('should not create git tag and commit', async () => { From 434754fbedb1d1ec32ffd55cb5970d1df4086068 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 15:40:42 +0200 Subject: [PATCH 04/11] Remove unused shell-quote --- src/test/package.test.ts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/test/package.test.ts b/src/test/package.test.ts index 8c757617..e5153891 100644 --- a/src/test/package.test.ts +++ b/src/test/package.test.ts @@ -25,7 +25,6 @@ import { XMLManifest, parseXmlManifest, parseContentTypes } from '../xml'; import { flatten, log } from '../util'; import { validatePublisher } from '../validation'; import * as jsonc from 'jsonc-parser'; -import { quote } from 'shell-quote'; // don't warn in tests console.warn = () => null; @@ -3008,7 +3007,7 @@ describe('version', function () { const commitMessage = 'test commit message'; await versionBump({ cwd, version: '1.1.1', commitMessage }); - assert.deepStrictEqual(git(['show', '-s', '--format=%B', 'HEAD']).stdout, `${quote([commitMessage])}\n\n`); + assert.deepStrictEqual(git(['show', '-s', '--format=%B', 'HEAD']).stdout, `${commitMessage}\n\n`); }); it('should not create git tag and commit', async () => { From 97f8b80ab70ed57a4908db787d693e3eb198cb01 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 15:49:59 +0200 Subject: [PATCH 05/11] :lipstick: --- src/test/package.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/package.test.ts b/src/test/package.test.ts index e5153891..ae3e62a7 100644 --- a/src/test/package.test.ts +++ b/src/test/package.test.ts @@ -13,7 +13,7 @@ import { ManifestProcessor, versionBump, VSIX, - LicenseProcessor + LicenseProcessor, } from '../package'; import { Manifest } from '../manifest'; import * as path from 'path'; From 1188664e0923132cb39b537911bbc07f3c810a2f Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 15:54:39 +0200 Subject: [PATCH 06/11] Commit message enclose in quotes --- src/package.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/package.ts b/src/package.ts index 3fd9dc16..65effc8b 100644 --- a/src/package.ts +++ b/src/package.ts @@ -444,7 +444,7 @@ export function sanitizeCommitMessage(message: string): string | undefined { return undefined; } - return sanitizedMessage; + return `"${sanitizedMessage}"`; } export const Targets = new Set([ From 9e06c04460ea97d5789e42fb39d3bb3124252b3a Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 16:13:28 +0200 Subject: [PATCH 07/11] :lipstick: --- src/package.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/package.ts b/src/package.ts index 65effc8b..053a41fc 100644 --- a/src/package.ts +++ b/src/package.ts @@ -418,7 +418,7 @@ export async function versionBump(options: IVersionBumpOptions): Promise { } } -export function sanitizeCommitMessage(message: string): string | undefined { +function sanitizeCommitMessage(message: string): string | undefined { // Allow alphanumeric, space, common punctuation, newline characters. // Specifically check for characters that might escape quotes or introduce shell commands. // Newlines are allowed, but backslashes (other than for newlines), backticks, and dollar signs are still checked. @@ -433,12 +433,12 @@ export function sanitizeCommitMessage(message: string): string | undefined { } // Make sure all backslashes are followed by 'n' to prevent shell injection - sanitizedMessage.split('').reduce((positions: number[], char: string, index: number) => { + for (let index = 0; index < sanitizedMessage.length; index++) { + const char = sanitizedMessage[index]; if (char === '\\' && sanitizedMessage[index + 1] !== 'n') { throw new Error('Commit message contains potentially dangerous characters after initial sanitization.'); } - return positions; - }, []); + } if (sanitizedMessage.length === 0) { return undefined; From b1bde5a72726ce021082e4ec6de9f02212e0cdd8 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 16:18:58 +0200 Subject: [PATCH 08/11] Only sanitize on windows --- src/package.ts | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/src/package.ts b/src/package.ts index 053a41fc..fa9621b2 100644 --- a/src/package.ts +++ b/src/package.ts @@ -395,22 +395,21 @@ export async function versionBump(options: IVersionBumpOptions): Promise { } } + // call `npm version` to do our dirty work const args = ['version', options.version]; - if (options.commitMessage) { - // Sanitize commit message due to possible shell injection on windows - const sanitizedCommitMessage = sanitizeCommitMessage(options.commitMessage); - if (sanitizedCommitMessage) { - args.push('-m', sanitizedCommitMessage); - } + const isWindows = process.platform === 'win32'; + + const commitMessage = isWindows ? sanitizeCommitMessage(options.commitMessage) : options.commitMessage; + if (commitMessage) { + args.push('-m', commitMessage); } if (!(options.gitTagVersion ?? true)) { args.push('--no-git-tag-version'); } - const isWindows = process.platform === 'win32'; const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ }); if (!process.env['VSCE_TESTS']) { process.stdout.write(stdout); @@ -418,7 +417,11 @@ export async function versionBump(options: IVersionBumpOptions): Promise { } } -function sanitizeCommitMessage(message: string): string | undefined { +function sanitizeCommitMessage(message?: string): string | undefined { + if (!message) { + return undefined; + } + // Allow alphanumeric, space, common punctuation, newline characters. // Specifically check for characters that might escape quotes or introduce shell commands. // Newlines are allowed, but backslashes (other than for newlines), backticks, and dollar signs are still checked. From f6eb2472f2d900627db9f58aaf7d354a857fbff8 Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 16:22:12 +0200 Subject: [PATCH 09/11] :lipstick: --- src/package.ts | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/package.ts b/src/package.ts index fa9621b2..3e67b4a4 100644 --- a/src/package.ts +++ b/src/package.ts @@ -422,12 +422,11 @@ function sanitizeCommitMessage(message?: string): string | undefined { return undefined; } - // Allow alphanumeric, space, common punctuation, newline characters. - // Specifically check for characters that might escape quotes or introduce shell commands. - // Newlines are allowed, but backslashes (other than for newlines), backticks, and dollar signs are still checked. + // Check for characters that might escape quotes or introduce shell commands. + // Don't allow: ', ", `, $, \ (except for \n) const unsafeRegex = /(? Date: Thu, 2 May 2024 18:23:17 +0200 Subject: [PATCH 10/11] Remove double checking --- src/package.ts | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/src/package.ts b/src/package.ts index 3e67b4a4..86459e62 100644 --- a/src/package.ts +++ b/src/package.ts @@ -423,28 +423,17 @@ function sanitizeCommitMessage(message?: string): string | undefined { } // Check for characters that might escape quotes or introduce shell commands. - // Don't allow: ', ", `, $, \ (except for \n) + // Don't allow: ', ", `, $, \ (except for \n which is allowed) const unsafeRegex = /(? sanitizedMessage.includes(char))) { - throw new Error('Commit message contains potentially dangerous characters after initial sanitization.'); - } - - for (let index = 0; index < sanitizedMessage.length; index++) { - const char = sanitizedMessage[index]; - if (char === '\\' && sanitizedMessage[index + 1] !== 'n') { - throw new Error('Commit message contains potentially dangerous characters after initial sanitization.'); - } - } - if (sanitizedMessage.length === 0) { return undefined; } + // Add quotes as commit message is passed as a single argument to the shell return `"${sanitizedMessage}"`; } From c1ced1d4125a6124272fe11ba7a1d0b4bd73e20a Mon Sep 17 00:00:00 2001 From: BeniBenj Date: Thu, 2 May 2024 18:31:38 +0200 Subject: [PATCH 11/11] :lipstick: --- src/package.ts | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/package.ts b/src/package.ts index 86459e62..36dba68b 100644 --- a/src/package.ts +++ b/src/package.ts @@ -422,12 +422,10 @@ function sanitizeCommitMessage(message?: string): string | undefined { return undefined; } + // Remove any unsafe characters found by the unsafeRegex // Check for characters that might escape quotes or introduce shell commands. // Don't allow: ', ", `, $, \ (except for \n which is allowed) - const unsafeRegex = /(?