Security Fix for Command Injection - huntr.dev (facebook#10644)

huntr.dev | the place to protect open source · zpbrent · gaearon · wombleton · commit ebb750ec420c · 2021-06-01T15:48:08.000+12:00
* Update getProcessForPort.js

* Update getProcessForPort.js

Co-authored-by: Zhou Peng &lt;zpbrent@gmail.com&gt;
Co-authored-by: Dan Abramov &lt;dan.abramov@gmail.com&gt;
diff --git a/packages/react-dev-utils/getProcessForPort.js b/packages/react-dev-utils/getProcessForPort.js
@@ -9,6 +9,7 @@
 
 var chalk = require('chalk');
 var execSync = require('child_process').execSync;
+var execFileSync = require('child_process').execFileSync;
 var path = require('path');
 
 var execOptions = {
@@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) {
 }
 
 function getProcessIdOnPort(port) {
-  return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions)
+  return execFileSync('lsof', ['-i:' + port, '-P', '-t', '-sTCP:LISTEN'], execOptions)
     .split('\n')[0]
     .trim();
 }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`var chalk = require('chalk');`
`11`	`11`	`var execSync = require('child_process').execSync;`
	`12`	`+var execFileSync = require('child_process').execFileSync;`
`12`	`13`	`var path = require('path');`
`13`	`14`
`14`	`15`	`var execOptions = {`
`@@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) {`
`25`	`26`	`}`
`26`	`27`
`27`	`28`	`function getProcessIdOnPort(port) {`
`28`		`- return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions)`
	`29`	`+ return execFileSync('lsof', ['-i:' + port, '-P', '-t', '-sTCP:LISTEN'], execOptions)`
`29`	`30`	`.split('\n')[0]`
`30`	`31`	`.trim();`
`31`	`32`	`}`