development/vscode
development/vscode
1
0
Fork 0
mirror of https://github.com/Microsoft/vscode synced 2024-08-28 05:19:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix a bypass for CVE-2020-16881

Browse source 
Fixes #107951

Uses child_process.execFile() rather than child_process.exec() to more
effectively resolve the command injection vulnerability.
This commit is contained in:
Justin Steven 2020-10-02 17:21:51 +10:00
parent 9d9afaacfb
commit e8ceafb07a
No known key found for this signature in database
GPG key ID: 681459ADF322CF09
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
extensions/npm/src/features/packageJSONContribution.ts
View file

@ -282,8 +282,8 @@ export class PackageJSONContribution implements IJSONContribution {
private npmView(pack: string): Promise<ViewPackageInfo | undefined> {
return new Promise((resolve, _reject) => {
const command = 'npm view --json ' + pack + ' description dist-tags.latest homepage version';
cp.exec(command, (error, stdout) => {
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version'];
cp.execFile('npm', args, (error, stdout) => {
if (!error) {
try {
const content = JSON.parse(stdout);