Headline
CVE-2023-25805: fix: Command Injection Vuln · commenthol/versionn@2ca1288
versionn, software for changing version information across multiple files, has a command injection vulnerability in all versions prior to version 1.1.0. This issue is patched in version 1.1.0.
@@ -1,32 +1,44 @@
‘use strict’
var child = require(‘child_process’)
function GitFn (version, options) {
this._version = version
this._options = {
cwd: options.dir,
env: process.env,
setsid: false,
stdio: [0, 1, 2]
const child = require(‘child_process’)
const semver = require(‘semver’)
const assertVersionValid = version => {
if (!semver.valid(version)) {
throw new Error(‘version is invalid’)
}
}
module.exports = GitFn
GitFn.prototype = {
tag: function (cb) {
var cmd = ['git’, 'tag’, ‘v’ + this._version].join(' ')
this._exec(cmd, cb)
},
untag: function (cb) {
var cmd = ['git’, 'tag’, '-d’, ‘v’ + this._version].join(' ')
this._exec(cmd, cb)
},
commit: function (cb) {
var cmd = ['git’, 'commit’, '-am’, ‘"’ + this._version + ‘"’].join(' ')
this._exec(cmd, cb)
},
_exec: function (cmd, cb) {
child.exec(cmd, this._options, cb)
const exec = (cmd, options, cb) => child.exec(cmd, options, cb)
class GitFn {
constructor (version, options) {
this._version = version
this._options = {
cwd: options.dir,
env: process.env,
setsid: false,
stdio: [0, 1, 2]
}
}
tag (cb) {
assertVersionValid(this._version)
const cmd = ['git’, 'tag’, ‘v’ + this._version].join(' ')
exec(cmd, this._options, cb)
}
untag (cb) {
assertVersionValid(this._version)
const cmd = ['git’, 'tag’, '-d’, ‘v’ + this._version].join(' ')
exec(cmd, this._options, cb)
}
commit (cb) {
assertVersionValid(this._version)
const cmd = ['git’, 'commit’, '-am’, ‘"’ + this._version + ‘"’].join(' ')
exec(cmd, this._options, cb)
}
}
module.exports = GitFn
Related news
### Impact Command Injection Vulnerability. All versions <1.1.0 are affected. ### Patches Please upgrade to [email protected]