cross-spawn-async
Advanced tools
Comparing version 2.2.1 to 2.2.2
@@ -42,10 +42,11 @@ var fs = require('fs'); | ||
function escapeArg(arg, skipQuote) { | ||
function escapeArg(arg, quote) { | ||
// Convert to string | ||
arg = '' + arg; | ||
// Escaped based on: http://qntm.org/cmd | ||
// Unless we're told otherwise, don't quote unless we actually need to do so, | ||
// hopefully avoid problems if programs won't parse quotes properly | ||
if (!skipQuote && (!arg || /[\s"]/.test(arg))) { | ||
// If we are not going to quote the argument, | ||
// escape shell metacharacters, including double and single quotes: | ||
if (!quote) { | ||
arg = arg.replace(/([\(\)%!\^<>&|;,"'\s])/g, '^$1'); | ||
} else { | ||
// Sequence of backslashes followed by a double quote: | ||
@@ -66,11 +67,15 @@ // double up all the backslashes and escape the double quote | ||
// Finally escape shell meta chars | ||
arg = arg.replace(/([\(\)%!\^<>&|;,"'\s])/g, '^$1'); | ||
return arg; | ||
} | ||
function escapeCommand(command) { | ||
// Do not escape if this command is not dangerous.. | ||
// We do this so that commands like "echo" or "ifconfig" work | ||
// Quoting them, will make them unaccessible | ||
return /^[a-z0-9_-]+$/i.test(command) ? command : escapeArg(command, true); | ||
} | ||
function parseCall(command, args, options) { | ||
var shebang; | ||
var skipQuotes; | ||
var applyQuotes; | ||
var file; | ||
@@ -101,6 +106,6 @@ var original; | ||
// Escape command & arguments | ||
skipQuotes = command === 'echo'; // Do not quote arguments for the special "echo" command | ||
command = escapeArg(command); | ||
applyQuotes = command !== 'echo'; // Do not quote arguments for the special "echo" command | ||
command = escapeCommand(command); | ||
args = args.map(function (arg) { | ||
return escapeArg(arg, skipQuotes); | ||
return escapeArg(arg, applyQuotes); | ||
}); | ||
@@ -107,0 +112,0 @@ |
{ | ||
"name": "cross-spawn-async", | ||
"version": "2.2.1", | ||
"version": "2.2.2", | ||
"description": "Cross platform child_process#spawn", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -45,3 +45,3 @@ # cross-spawn-async | ||
var process = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' }); | ||
var child = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' }); | ||
``` | ||
@@ -48,0 +48,0 @@ |
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
12932
191
5