[CE-1330] Escaping args (#167)

drazisil · web-flow · commit 02cf13d8b93a · 2020-02-04T10:41:09.000-05:00
* Escaping args
diff --git a/.gitignore b/.gitignore
@@ -27,3 +27,4 @@ node_modules
 
 lib-cov/
 coverage.json
+.vs-code
diff --git a/lib/codecov.js b/lib/codecov.js
@@ -5,7 +5,6 @@ var urlgrey = require('urlgrey')
 var jsYaml = require('js-yaml')
 var walk = require('ignore-walk')
 var execSync = require('child_process').execSync
-var validator = require('validator')
 
 var detectProvider = require('./detect')
 
@@ -394,13 +393,13 @@ var upload = function(args, on_success, on_failure) {
       if (!isWindows) {
         gcov =
           'find ' +
-          (args.options['gcov-root'] || root) +
+          (sanitizeVar(args.options['gcov-root']) || root) +
           " -type f -name '*.gcno' " +
           gcg +
           ' -exec ' +
-          (validator.escape(args.options['gcov-exec']) || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (validator.escape(args.options['gcov-args']) || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' {} +'
       } else {
         // @TODO support for root
@@ -409,9 +408,9 @@ var upload = function(args, on_success, on_failure) {
           'for /f "delims=" %g in (\'dir /a-d /b /s *.gcno ' +
           gcg +
           "') do " +
-          (args.options['gcov-exec'] || 'gcov') +
+          (sanitizeVar(args.options['gcov-exec']) || 'gcov') +
           ' ' +
-          (args.options['gcov-args'] || '') +
+          (sanitizeVar(args.options['gcov-args']) || '') +
           ' %g'
       }
       debug.push(gcov)
@@ -556,7 +555,12 @@ var upload = function(args, on_success, on_failure) {
   }
 }
 
+function sanitizeVar(arg) {
+  return arg.replace(/&/g, '')
+}
+
 module.exports = {
+  sanitizeVar: sanitizeVar,
   upload: upload,
   version: version,
   sendToCodecovV2: sendToCodecovV2,
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,8 +35,7 @@
     "ignore-walk": "3.0.3",
     "js-yaml": "3.13.1",
     "teeny-request": "6.0.1",
-    "urlgrey": "0.4.4",
-    "validator": "12.2.0"
+    "urlgrey": "0.4.4"
   },
   "devDependencies": {
     "eslint": "^5.16.0",
diff --git a/test/index.test.js b/test/index.test.js
@@ -276,4 +276,10 @@ describe('Codecov', function() {
     expect(res.query.yaml).toBe(process.cwd() + '/foo.yml')
     mockFs.restore()
   })
+
+  it('can sanitize inputs', function() {
+    expect(codecov.sanitizeVar('real & run unsafe & command')).toEqual(
+      'real  run unsafe  command'
+    )
+  })
 })

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,4 @@ node_modules`
`27`	`27`
`28`	`28`	`lib-cov/`
`29`	`29`	`coverage.json`
	`30`	`+.vs-code`