sanitizeShellString() and other security improvements

sebhildebrandt · Mar 15, 2021 · 0be6fcd · 0be6fcd
1 parent 7922366
commit 0be6fcd
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 11 deletions.
diff --git a/lib/docker.js b/lib/docker.js
@@ -470,7 +470,7 @@ function dockerContainerStats(containerIDs, callback) {
         if (containerIDsSanitized !== '*') {
           containerIDsSanitized = '';
           const s = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerIDs, true)).trim();
-          for (let i = 0; i <= 2000; i++) {
+          for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
             if (!(s[i] === undefined)) {
               s[i].__proto__.toLowerCase = util.stringToLower;
               const sl = s[i].toLowerCase();

diff --git a/lib/internet.js b/lib/internet.js
@@ -46,8 +46,7 @@ function inetChecksite(url, callback) {
       }
       let urlSanitized = '';
       const s = util.sanitizeShellString(url, true);
-      const mathMin = util.mathMin;
-      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();
@@ -145,8 +144,7 @@ function inetLatency(host, callback) {
       }
       let hostSanitized = '';
       const s = (util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host, true)).trim();
-      const mathMin = util.mathMin;
-      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();

diff --git a/lib/network.js b/lib/network.js
@@ -1061,8 +1061,7 @@ function networkStatsSingle(iface) {
     process.nextTick(() => {
       let ifaceSanitized = '';
       const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
-      const mathMin = util.mathMin;
-      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           ifaceSanitized = ifaceSanitized + s[i];
         }

diff --git a/lib/processes.js b/lib/processes.js
@@ -111,8 +111,7 @@ function services(srv, callback) {
         srvString.__proto__.trim = util.stringTrim;
 
         const s = util.sanitizeShellString(srv);
-        const mathMin = util.mathMin;
-        for (let i = 0; i <= mathMin(s.length, 2000); i++) {
+        for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
           if (!(s[i] === undefined)) {
             srvString = srvString + s[i];
           }
@@ -911,8 +910,7 @@ function processLoad(proc, callback) {
       processesString.__proto__.trim = util.stringTrim;
 
       const s = util.sanitizeShellString(proc);
-      const mathMin = util.mathMin;
-      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           processesString = processesString + s[i];
         }