Fixed command injection through the revertTo revision string

keymetrics · Apr 4, 2020 · 15d7bbe · 15d7bbe
1 parent 551bd45
commit 15d7bbe
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/lib/vizion.js b/lib/vizion.js
@@ -45,6 +45,9 @@ vizion.revertTo = function(argv, cb) {
   var revision = (argv.revision) ? argv.revision : false;
   var _folder = (argv.folder != undefined) ? argv.folder : '.';
 
+  if (revision && !/^[A-Za-z0-9]+$/.test(revision))
+    return cb('Error vizion::revertTo() received an invalid revision: ' + revision);
+
   if (!revision)
     return cb({msg: 'Cannot revert to an invalid commit revision', path: _folder});