Merge pull request #973 from microsoft/benibenj/hon-guineafowl

Fix nodejs breaking change CVE-2024-27980
microsoft · May 3, 2024 · 093d33f · 093d33f
2 parents af201cd + c1ced1d
commit 093d33f
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 5 deletions.
diff --git a/src/package.ts b/src/package.ts
@@ -395,25 +395,46 @@ export async function versionBump(options: IVersionBumpOptions): Promise<void> {
 			}
 	}
 
+
 	// call `npm version` to do our dirty work
 	const args = ['version', options.version];
 
-	if (options.commitMessage) {
-		args.push('-m', options.commitMessage);
+	const isWindows = process.platform === 'win32';
+
+	const commitMessage = isWindows ? sanitizeCommitMessage(options.commitMessage) : options.commitMessage;
+	if (commitMessage) {
+		args.push('-m', commitMessage);
 	}
 
 	if (!(options.gitTagVersion ?? true)) {
 		args.push('--no-git-tag-version');
 	}
 
-	const { stdout, stderr } = await promisify(cp.execFile)(process.platform === 'win32' ? 'npm.cmd' : 'npm', args, { cwd });
-
+	const { stdout, stderr } = await promisify(cp.execFile)(isWindows ? 'npm.cmd' : 'npm', args, { cwd, shell: isWindows /* https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 */ });
 	if (!process.env['VSCE_TESTS']) {
 		process.stdout.write(stdout);
 		process.stderr.write(stderr);
 	}
 }
 
+function sanitizeCommitMessage(message?: string): string | undefined {
+	if (!message) {
+		return undefined;
+	}
+
+	// Remove any unsafe characters found by the unsafeRegex
+	// Check for characters that might escape quotes or introduce shell commands.
+	// Don't allow: ', ", `, $, \ (except for \n which is allowed)
+	const sanitizedMessage = message.replace(/(?<!\\)\\(?!n)|['"`$]/g, '');
+
+	if (sanitizedMessage.length === 0) {
+		return undefined;
+	}
+
+	// Add quotes as commit message is passed as a single argument to the shell
+	return `"${sanitizedMessage}"`;
+}
+
 export const Targets = new Set([
 	'win32-x64',
 	'win32-arm64',

diff --git a/src/test/package.test.ts b/src/test/package.test.ts
@@ -2940,7 +2940,7 @@ describe('version', function () {
 	const fixtureFolder = fixture('vsixmanifest');
 	let cwd: string;
 
-	const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8' });
+	const git = (args: string[]) => spawnSync('git', args, { cwd, encoding: 'utf-8', shell: true });
 
 	beforeEach(() => {
 		dir = tmp.dirSync({ unsafeCleanup: true });