Unsafe shell command constructed from library input (#509)

microsoft · Jan 2, 2025 · 47eaa4c · 47eaa4c
1 parent d0bb14f
commit 47eaa4c
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -41,6 +41,7 @@
     "minimist": "^1.2.8",
     "replacestream": "^4.0.0",
     "send-transform": "^0.15.1",
+    "shell-quote": "^1.8.2",
     "socket.io": "^2.4.1",
     "through2": "^4.0.2",
     "uuid": "^9.0.0"

diff --git a/src/browsers/browser.js b/src/browsers/browser.js
@@ -4,6 +4,7 @@
 
 const child_process = require('child_process');
 const open = require('open');
+const quote = require('shell-quote/quote');
 
 const NOT_INSTALLED = 'The browser target is not installed: %target%';
 const NOT_SUPPORTED = 'The browser target is not supported: %target%';
@@ -52,8 +53,8 @@ function launchBrowser(opts) {
             if (target != 'edge') {
                 args.push(url);
             }
-
-            const command = args.join(' ');
+            
+            const command = quote(args);
             const result = exec(command);
             result.catch(() => {
                 throw new Error(NOT_INSTALLED.replace('%target%', target));