From e30b6882a45b2cad435e9ae2551a00a6f61d4dd0 Mon Sep 17 00:00:00 2001 From: sbs20 Date: Tue, 14 Feb 2023 20:36:21 +0000 Subject: [PATCH] Fix command-builder arg escape for `;` Issue #551 Also version bump for patch release --- package-lock.json | 4 ++-- package.json | 2 +- packages/client/package-lock.json | 4 ++-- packages/client/package.json | 2 +- packages/server/package-lock.json | 4 ++-- packages/server/package.json | 2 +- packages/server/src/classes/command-builder.js | 2 +- packages/server/test/command-builder.test.js | 8 +++++++- 8 files changed, 17 insertions(+), 11 deletions(-) diff --git a/package-lock.json b/package-lock.json index 04c11f4d..8f99591c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "hasInstallScript": true, "license": "GPL-2.0" } diff --git a/package.json b/package.json index e1032ea6..d8e3b16e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "description": "scanservjs is a simple web-based UI for SANE which allows you to share a scanner on a network without the need for drivers or complicated installation.", "scripts": { "clean": "rm -rf ./dist", diff --git a/packages/client/package-lock.json b/packages/client/package-lock.json index 2fc89e83..76e0ef7b 100644 --- a/packages/client/package-lock.json +++ b/packages/client/package-lock.json @@ -1,12 +1,12 @@ { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "license": "GPL-2.0", "dependencies": { "@mdi/font": "^5.9.55", diff --git a/packages/client/package.json b/packages/client/package.json index 6a472141..7e0f8d77 100644 --- a/packages/client/package.json +++ b/packages/client/package.json @@ -1,6 +1,6 @@ { "name": "scanservjs", - "version": "2.25.1", + "version": "2.25.2", "description": "scanservjs is a simple web-based UI for SANE which allows you to share a scanner on a network without the need for drivers or complicated installation.", "author": "Sam Strachan", "scripts": { diff --git a/packages/server/package-lock.json b/packages/server/package-lock.json index 47e05a4e..8c9da19b 100644 --- a/packages/server/package-lock.json +++ b/packages/server/package-lock.json @@ -1,12 +1,12 @@ { "name": "scanservjs-api", - "version": "2.25.1", + "version": "2.25.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "scanservjs-api", - "version": "2.25.1", + "version": "2.25.2", "license": "GPL-2.0", "dependencies": { "adm-zip": "^0.5.5", diff --git a/packages/server/package.json b/packages/server/package.json index 3f5ecb0c..82d1a5c6 100644 --- a/packages/server/package.json +++ b/packages/server/package.json @@ -1,6 +1,6 @@ { "name": "scanservjs-api", - "version": "2.25.1", + "version": "2.25.2", "description": "scanservjs-api is a REST based API to control your scanner.", "scripts": { "lint": "gulp lint", diff --git a/packages/server/src/classes/command-builder.js b/packages/server/src/classes/command-builder.js index 9e851538..2bcf3eb1 100644 --- a/packages/server/src/classes/command-builder.js +++ b/packages/server/src/classes/command-builder.js @@ -18,7 +18,7 @@ module.exports = class CommandBuilder { if (typeof value === 'string') { if (value.includes('\'')) { throw Error('Argument must not contain single quote "\'"'); - } else if (['$', ' ', '#', '\\'].some(c => value.includes(c))) { + } else if (['$', ' ', '#', '\\', ';'].some(c => value.includes(c))) { return `'${value}'`; } } diff --git a/packages/server/test/command-builder.test.js b/packages/server/test/command-builder.test.js index e4661e1a..a963da77 100644 --- a/packages/server/test/command-builder.test.js +++ b/packages/server/test/command-builder.test.js @@ -15,12 +15,18 @@ describe('CommandBuilder', () => { 'echo \'hello world\''); }); - it('command-arg2', async () => { + it('command-arg-hash', async () => { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello#world').build(), 'echo -n \'hello#world\''); }); + it('command-arg-comma', async () => { + assert.strictEqual( + new CommandBuilder('echo').arg('-n', 'hello;world').build(), + 'echo -n \'hello;world\''); + }); + it('command-security-1', async () => { assert.strictEqual( new CommandBuilder('echo').arg('-n', 'hello" && ls -al;# world').build(),