mirror of
https://github.com/Microsoft/vscode
synced 2024-09-13 21:55:38 +00:00
Fix a bypass for CVE-2020-16881
Fixes #107951 Uses child_process.execFile() rather than child_process.exec() to more effectively resolve the command injection vulnerability.
This commit is contained in:
parent
9d9afaacfb
commit
e8ceafb07a
|
@ -282,8 +282,8 @@ export class PackageJSONContribution implements IJSONContribution {
|
||||||
|
|
||||||
private npmView(pack: string): Promise<ViewPackageInfo | undefined> {
|
private npmView(pack: string): Promise<ViewPackageInfo | undefined> {
|
||||||
return new Promise((resolve, _reject) => {
|
return new Promise((resolve, _reject) => {
|
||||||
const command = 'npm view --json ' + pack + ' description dist-tags.latest homepage version';
|
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version'];
|
||||||
cp.exec(command, (error, stdout) => {
|
cp.execFile('npm', args, (error, stdout) => {
|
||||||
if (!error) {
|
if (!error) {
|
||||||
try {
|
try {
|
||||||
const content = JSON.parse(stdout);
|
const content = JSON.parse(stdout);
|
||||||
|
|
Loading…
Reference in a new issue