Merge pull request #44 from 418sec/1-npm-find-process

Security Fix for Command Injection - huntr.dev
yibn2008 · May 8, 2021 · 872c18a · 872c18a
2 parents 723f44d + 4ca6a5c
commit 872c18a
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/find.js b/lib/find.js
@@ -57,7 +57,12 @@ function find (by, value, strict) {
     if (!(by in findBy)) {
       reject(new Error(`do not support find by "${by}"`))
     } else {
-      findBy[by](value, strict).then(resolve, reject)
+      if (by === 'pid' && typeof value !== 'number')
+        reject(new Error(`pid must be a number`))
+      else if (by === 'port' && typeof value !== 'number')
+        reject(new Error(`port must be a number`))
+      else
+        findBy[by](value, strict).then(resolve, reject)
     }
   })
 }