fix: fix vulnerability with shellquote

wednesday-solutions · Aug 26, 2024 · d33b87f · d33b87f
1 parent 7811d43
commit d33b87f
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -35,6 +35,7 @@
     "get-graphql-schema": "^2.1.2",
     "lodash": "^4.17.21",
     "ora": "^8.1.0",
+    "shell-quote": "^1.8.1",
     "uuid": "^10.0.0"
   },
   "bin": {
@@ -68,8 +69,8 @@
     "eslint-config-standard": "^17.1.0",
     "eslint-plugin-import": "^2.29.1",
     "eslint-plugin-n": "^17.10.2",
-    "eslint-plugin-promise": "^7.1.0",
     "eslint-plugin-prettier": "^5.2.1",
+    "eslint-plugin-promise": "^7.1.0",
     "globals": "^15.9.0",
     "lint-staged": "^15.2.9",
     "pre-commit": "^1.2.2",

diff --git a/src/cli.js b/src/cli.js
@@ -1,4 +1,5 @@
 import shell from 'shelljs';
+import quote from 'shell-quote/quote';
 import process from 'process';
 import { generateOutput } from './index';
 
@@ -43,7 +44,7 @@ export function createConfig(config, args) {
     if (!k.includes('--')) {
       return shell.echo(`Invalid arg ${key}`);
     }
-    newConfig[key] = value;
+    newConfig[key] = quote(Array.isArray(value) ? value : [value]);
   }
   config = { ...config, ...newConfig };
   return config;

diff --git a/src/index.js b/src/index.js
@@ -214,7 +214,7 @@ async function generateOperationOutput(schema, list, operationName, config) {
 }
 
 export const generateOutput = async (config) => {
-  config.strippedEndpoint = config.endpoint.replace(/(http|https):\/\//, '').replaceAll('.', '_');
+  config.strippedEndpoint = config.endpoint.replace(/(http|https)\\:\/\//, '').replaceAll('.', '_');
 
   // create collection
   const collection = {};

diff --git a/yarn.lock b/yarn.lock
@@ -3860,6 +3860,11 @@ shebang-regex@^3.0.0:
   resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-3.0.0.tgz#ae16f1644d873ecad843b0307b143362d4c42172"
   integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==
 
+shell-quote@^1.8.1:
+  version "1.8.1"
+  resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.8.1.tgz#6dbf4db75515ad5bac63b4f1894c3a154c766680"
+  integrity sha512-6j1W9l1iAs/4xYBI1SYOVZyFcCis9b4KCLQ8fgAGG07QvzaRLVVRQvAy85yNmmZSjYjg4MWh4gNvlPujU/5LpA==
+
 shelljs@^0.8.5:
   version "0.8.5"
   resolved "https://registry.yarnpkg.com/shelljs/-/shelljs-0.8.5.tgz#de055408d8361bed66c669d2f000538ced8ee20c"