@@ -7,6 +7,8 @@ import {ProcessSpawnError, ProcessTermError} from '../errors.js';
7
7
import { promisify } from './promise.js' ;
8
8
9
9
const child = require ( 'child_process' ) ;
10
+ const fs = require ( 'fs' ) ;
11
+ const path = require ( 'path' ) ;
10
12
11
13
export const queue = new BlockingQueue ( 'child' , constants . CHILD_CONCURRENCY ) ;
12
14
@@ -15,7 +17,24 @@ let uid = 0;
15
17
16
18
export const exec = promisify ( child . exec ) ;
17
19
20
+ function validate ( program : string , opts ?: Object = { } ) {
21
+ if ( program . includes ( '/' ) ) {
22
+ return true ;
23
+ }
24
+
25
+ const cwd = opts . cwd || process . cwd ( ) ;
26
+ const pathext = process . env . PATHEXT || '' ;
27
+
28
+ for ( const ext of pathext . split ( ';' ) ) {
29
+ const candidate = path . join ( cwd , `${ program } ${ ext } ` ) ;
30
+ if ( fs . existsSync ( candidate ) ) {
31
+ throw new Error ( `Potentially dangerous call to "${ program } " in ${ cwd } ` ) ;
32
+ }
33
+ }
34
+ }
35
+
18
36
export function forkp ( program : string , args : Array < string > , opts ?: Object ) : Promise < number > {
37
+ validate ( program , opts ) ;
19
38
const key = String ( ++ uid ) ;
20
39
return new Promise ( ( resolve , reject ) => {
21
40
const proc = child . fork ( program , args , opts ) ;
@@ -32,6 +51,7 @@ export function forkp(program: string, args: Array<string>, opts?: Object): Prom
32
51
}
33
52
34
53
export function spawnp ( program : string , args : Array < string > , opts ?: Object ) : Promise < number > {
54
+ validate ( program , opts ) ;
35
55
const key = String ( ++ uid ) ;
36
56
return new Promise ( ( resolve , reject ) => {
37
57
const proc = child . spawn ( program , args , opts ) ;
@@ -73,6 +93,8 @@ export function spawn(
73
93
key ,
74
94
( ) : Promise < string > =>
75
95
new Promise ( ( resolve , reject ) => {
96
+ validate ( program , opts ) ;
97
+
76
98
const proc = child . spawn ( program , args , opts ) ;
77
99
spawnedProcesses [ key ] = proc ;
78
100
0 commit comments