Fix a bypass for CVE-2020-16881 (#108034)

Fixes #107951 Uses child_process.execFile() rather than child_process.exec() to more effectively resolve the command injection vulnerability. Co-authored-by: N Justin Steven <justin@justinsteven.com>

Fix a bypass for CVE-2020-16881 (#108034)
Fixes #107951 Uses child_process.execFile() rather than child_process.exec() to more effectively resolve the command injection vulnerability. Co-authored-by: N Justin Steven <justin@justinsteven.com>
48ca6d9f · Martin Aeschlimann · GitHub · 0ecb64a2 · 48ca6d9f
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

extensions/npm/src/features/packageJSONContribution.ts extensions/npm/src/features/packageJSONContribution.ts +2 -2

未找到文件。
--- a/extensions/npm/src/features/packageJSONContribution.ts
+++ b/extensions/npm/src/features/packageJSONContribution.ts
@@ -282,8 +282,8 @@ export class PackageJSONContribution implements IJSONContribution {

 	private npmView(pack: string): Promise<ViewPackageInfo | undefined> {
 		return new Promise((resolve, _reject) => {
-			const command = 'npm view --json ' + pack + ' description dist-tags.latest homepage version';
-			cp.exec(command, (error, stdout) => {
+			const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version'];
+			cp.execFile('npm', args, (error, stdout) => {
 				if (!error) {
 					try {
 						const content = JSON.parse(stdout);