From a1111ee793e0292e4eff27b69214b361bd1eb712 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Mon, 21 Oct 2019 00:17:10 +0200 Subject: [PATCH 1/4] Silence potentially upcoming circular dependency warning (#973) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Node.js is currently considering printing a warning when a non-existent property of `module.exports` is accessed while in a circular `require()` dependency, in order to make it easier to catch issues with circular dependencies. In order to avoid printing these warnings for shelljs, checking for the property’s existence rather than its truthiness suffices. Refs: https://github.com/nodejs/node/pull/29935 --- src/common.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common.js b/src/common.js index 14a49fc58..64fa2fbc0 100644 --- a/src/common.js +++ b/src/common.js @@ -450,7 +450,7 @@ function _register(name, implementation, wrapOptions) { // If an option isn't specified, use the default wrapOptions = Object.assign({}, DEFAULT_WRAP_OPTIONS, wrapOptions); - if (shell[name]) { + if (shell.hasOwnProperty(name)) { throw new Error('Command `' + name + '` already exists'); } From fcf1651be9a3bb8e20ba1fd24b8a91f369829c53 Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Fri, 24 Apr 2020 20:58:18 -0700 Subject: [PATCH 2/4] 0.8.4 --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3cca706bd..3ea3c3e54 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "shelljs", - "version": "0.8.3", + "version": "0.8.4", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index fcb0fb570..b52070538 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "shelljs", - "version": "0.8.3", + "version": "0.8.4", "description": "Portable Unix shell commands for Node.js", "keywords": [ "shelljs", From d919d22dd6de385edaa9d90313075a77f74b338c Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 21:14:23 -0800 Subject: [PATCH 3/4] fix(exec): lockdown file permissions (#1060) This locks down file permissions used by the internal implementation of `shell.exec()`. Issue #1058 Tested manually using the documented scenarios --- src/exec.js | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/src/exec.js b/src/exec.js index de3322c81..78faf13d2 100644 --- a/src/exec.js +++ b/src/exec.js @@ -48,7 +48,24 @@ function execSync(cmd, opts, pipe) { stderrFile: stderrFile, }; - fs.writeFileSync(paramsFile, JSON.stringify(paramsToSerialize), 'utf8'); + // Create the files and ensure these are locked down (for read and write) to + // the current user. The main concerns here are: + // + // * If we execute a command which prints sensitive output, then + // stdoutFile/stderrFile must not be readable by other users. + // * paramsFile must not be readable by other users, or else they can read it + // to figure out the path for stdoutFile/stderrFile and create these first + // (locked down to their own access), which will crash exec() when it tries + // to write to the files. + function writeFileLockedDown(filePath, data) { + fs.writeFileSync(filePath, data, { + encoding: 'utf8', + mode: parseInt('600', 8), + }); + } + writeFileLockedDown(stdoutFile, ''); + writeFileLockedDown(stderrFile, ''); + writeFileLockedDown(paramsFile, JSON.stringify(paramsToSerialize)); var execArgs = [ path.join(__dirname, 'exec-child.js'), @@ -91,6 +108,7 @@ function execSync(cmd, opts, pipe) { } // No biggie if we can't erase the files now -- they're in a temp dir anyway + // and we locked down permissions (see the note above). try { common.unlinkSync(paramsFile); } catch (e) {} try { common.unlinkSync(stderrFile); } catch (e) {} try { common.unlinkSync(stdoutFile); } catch (e) {} From 70668a4555c7d49c4f67d53ea063b899be4d6d40 Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Thu, 6 Jan 2022 21:31:45 -0800 Subject: [PATCH 4/4] 0.8.5 --- package-lock.json | 2 +- package.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3ea3c3e54..178dc7a1f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,6 +1,6 @@ { "name": "shelljs", - "version": "0.8.4", + "version": "0.8.5", "lockfileVersion": 1, "requires": true, "dependencies": { diff --git a/package.json b/package.json index b52070538..5c79efeec 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "shelljs", - "version": "0.8.4", + "version": "0.8.5", "description": "Portable Unix shell commands for Node.js", "keywords": [ "shelljs",