From b9d148d697d3db807f653e2e6953c3de57dfeb8a Mon Sep 17 00:00:00 2001 From: Mikael Brevik Date: Mon, 9 Nov 2020 11:42:48 +0100 Subject: [PATCH 1/4] patch: fixes possible injection issue for notify-send --- lib/utils.js | 4 +++- test/notify-send.js | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/utils.js b/lib/utils.js index 2562b55..2bfacf3 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -313,7 +313,9 @@ module.exports.constructArgumentList = function (options, extra) { }; initial.forEach(function (val) { - args.push(escapeFn(val)); + if (typeof val === 'string') { + args.push(escapeFn(val)); + } }); for (var key in options) { if ( diff --git a/test/notify-send.js b/test/notify-send.js index 59a86c3..0dde938 100644 --- a/test/notify-send.js +++ b/test/notify-send.js @@ -70,6 +70,17 @@ describe('notify-send', function () { notifier.notify({ message: 'some\n "me\'ss`age`"' }); }); + it.only('should only include strings as arguments', function (done) { + var expected = ['"HACKED"', '--expire-time', '"10000"']; + + expectArgsListToBe(expected, done); + var notifier = new Notify({ suppressOsdCheck: true }); + var options = JSON.parse( + '{"title":"HACKED", "message":["`touch HACKED`"]}' + ); + notifier.notify(options); + }); + it('should send additional parameters as --"keyname"', function (done) { var expected = [ '"title"', From f5a7bc647589fc89ac64b0f1d259a853fcf057bc Mon Sep 17 00:00:00 2001 From: Mikael Brevik Date: Tue, 15 Dec 2020 16:28:53 +0100 Subject: [PATCH 2/4] fix: test cases --- test/notify-send.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/notify-send.js b/test/notify-send.js index 0dde938..894e5df 100644 --- a/test/notify-send.js +++ b/test/notify-send.js @@ -70,7 +70,7 @@ describe('notify-send', function () { notifier.notify({ message: 'some\n "me\'ss`age`"' }); }); - it.only('should only include strings as arguments', function (done) { + it('should only include strings as arguments', function (done) { var expected = ['"HACKED"', '--expire-time', '"10000"']; expectArgsListToBe(expected, done); From 0c4a80df9a3b5015cd1e1ab858e008be3fece082 Mon Sep 17 00:00:00 2001 From: Mikael Brevik Date: Tue, 15 Dec 2020 16:30:26 +0100 Subject: [PATCH 3/4] chore: adds changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ff84af..c42669f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +### `v8.0.1` + +- fixes possible injection issue for notify-send + ### `v8.0.0` Breaking changes: From 5d62799dab88505a709cd032653b2320c5813fce Mon Sep 17 00:00:00 2001 From: Mikael Brevik Date: Tue, 15 Dec 2020 16:30:54 +0100 Subject: [PATCH 4/4] v8.0.1 --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 614923a..0b2c64e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "node-notifier", - "version": "8.0.0", + "version": "8.0.1", "description": "A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback)", "main": "index.js", "scripts": {