Merge pull request #2 from zpbrent/patch-3

huntr.dev | the place to protect open source · web-flow · commit ab46fb8c4455 · 2021-03-03T18:00:21.000Z
Command Injection vul fix: Replace execSync with execFileSync
diff --git a/packages/react-dev-utils/getProcessForPort.js b/packages/react-dev-utils/getProcessForPort.js
@@ -9,6 +9,7 @@
 
 var chalk = require('chalk');
 var execSync = require('child_process').execSync;
+var execFileSync = require('child_process').execFileSync;
 var path = require('path');
 
 var execOptions = {
@@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) {
 }
 
 function getProcessIdOnPort(port) {
-  return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions)
+  return execFileSync('lsof', ['-i:'+port, '-P', '-t', '-sTCP:LISTEN'], execOptions)
     .split('\n')[0]
     .trim();
 }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`var chalk = require('chalk');`
`11`	`11`	`var execSync = require('child_process').execSync;`
	`12`	`+var execFileSync = require('child_process').execFileSync;`
`12`	`13`	`var path = require('path');`
`13`	`14`
`14`	`15`	`var execOptions = {`
`@@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) {`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`function getProcessIdOnPort(port) {`
`28`		`- return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions)`
	`29`	`+ return execFileSync('lsof', ['-i:'+port, '-P', '-t', '-sTCP:LISTEN'], execOptions)`
`29`	`30`	`.split('\n')[0]`
`30`	`31`	`.trim();`
`31`	`32`	`}`