Skip to content

Commit b1fa143

Browse files
ljharbljharb
committed
[Fix] nvm_get_mirror: ensure only a valid URL is allowed
1 parent cc765cc commit b1fa143

File tree

2 files changed

+24
-11
lines changed

2 files changed

+24
-11
lines changed

nvm.sh

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2035,12 +2035,18 @@ nvm_get_mirror() {
20352035
esac
20362036

20372037
case "${NVM_MIRROR}" in
2038-
*\`* | *\\* | *\'* | *\(* )
2038+
*\`* | *\\* | *\'* | *\(* | *' '* )
20392039
nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
20402040
return 2
20412041
;;
20422042
esac
20432043

2044+
2045+
if ! nvm_echo "${NVM_MIRROR}" | command awk '{ $0 ~ "^https?://[a-zA-Z0-9./_-]+$" }'; then
2046+
nvm_err '$NVM_NODEJS_ORG_MIRROR and $NVM_IOJS_ORG_MIRROR may only contain a URL'
2047+
return 2
2048+
fi
2049+
20442050
nvm_echo "${NVM_MIRROR}"
20452051
}
20462052

test/fast/Unit tests/nvm_get_mirror

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -23,18 +23,25 @@ set -e
2323
[ "$(nvm_get_mirror node std)" = "https://nodejs.org/dist" ] || die "incorrect default node-std mirror"
2424
[ "$(nvm_get_mirror iojs std)" = "https://iojs.org/dist" ] || die "incorrect default iojs-std mirror"
2525

26-
NVM_NODEJS_ORG_MIRROR="test://domain"
27-
[ "$(nvm_get_mirror node std)" = "test://domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR"
26+
NVM_NODEJS_ORG_MIRROR="https://test-domain"
27+
[ "$(nvm_get_mirror node std)" = "https://test-domain" ] || die "node-std mirror should respect NVM_NODEJS_ORG_MIRROR"
2828
unset NVM_NODEJS_ORG_MIRROR
2929

30-
NVM_IOJS_ORG_MIRROR="test://domain"
31-
[ "$(nvm_get_mirror iojs std)" = "test://domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR"
30+
NVM_IOJS_ORG_MIRROR="https://test-domain"
31+
[ "$(nvm_get_mirror iojs std)" = "https://test-domain" ] || die "iojs-std mirror should respect NVM_IOJS_ORG_MIRROR"
3232
unset NVM_IOJS_ORG_MIRROR
3333

34-
NVM_NODEJS_ORG_MIRROR='`do something bad`'
35-
! nvm_get_mirror node std || die 'NVM_NODEJS_ORG_MIRROR errors with command injection attempt'
36-
[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection'
34+
testMirrors() {
35+
NVM_NODEJS_ORG_MIRROR="${1-}"
36+
! nvm_get_mirror node std || die "NVM_NODEJS_ORG_MIRROR errors with command injection attempt (${1-})"
37+
[ "$(nvm_get_mirror node std)" = "" ] || die 'NVM_NODEJS_ORG_MIRROR is protected against command injection'
3738

38-
NVM_IOJS_ORG_MIRROR='`do something bad`'
39-
! nvm_get_mirror iojs std || die 'NVM_IOJS_ORG_MIRROR errors with command injection attempt'
40-
[ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection'
39+
NVM_IOJS_ORG_MIRROR="${1-}"
40+
! nvm_get_mirror iojs std || die "NVM_IOJS_ORG_MIRROR errors with command injection attempt (${1-})"
41+
[ "$(nvm_get_mirror iojs std)" = "" ] || die 'NVM_IOJS_ORG_MIRROR is protected against command injection'
42+
}
43+
44+
testMirrors '`do something bad`'
45+
testMirrors 'https://nodejs.org/dist; xdg-open http://www.google.com;'
46+
testMirrors 'https://nodejs.org/dist&&xdg-open http://www.google.com;'
47+
testMirrors 'https://nodejs.org/dist|xdg-open http://www.google.com;'

0 commit comments

Comments
 (0)