Comparing version 0.8.4 to 0.8.5
{ | ||
"name": "shelljs", | ||
"version": "0.8.4", | ||
"version": "0.8.5", | ||
"description": "Portable Unix shell commands for Node.js", | ||
@@ -5,0 +5,0 @@ "keywords": [ |
@@ -51,3 +51,20 @@ var common = require('./common'); | ||
fs.writeFileSync(paramsFile, JSON.stringify(paramsToSerialize), 'utf8'); | ||
// Create the files and ensure these are locked down (for read and write) to | ||
// the current user. The main concerns here are: | ||
// | ||
// * If we execute a command which prints sensitive output, then | ||
// stdoutFile/stderrFile must not be readable by other users. | ||
// * paramsFile must not be readable by other users, or else they can read it | ||
// to figure out the path for stdoutFile/stderrFile and create these first | ||
// (locked down to their own access), which will crash exec() when it tries | ||
// to write to the files. | ||
function writeFileLockedDown(filePath, data) { | ||
fs.writeFileSync(filePath, data, { | ||
encoding: 'utf8', | ||
mode: parseInt('600', 8), | ||
}); | ||
} | ||
writeFileLockedDown(stdoutFile, ''); | ||
writeFileLockedDown(stderrFile, ''); | ||
writeFileLockedDown(paramsFile, JSON.stringify(paramsToSerialize)); | ||
@@ -95,2 +112,3 @@ var execArgs = [ | ||
// No biggie if we can't erase the files now -- they're in a temp dir anyway | ||
// and we locked down permissions (see the note above). | ||
try { common.unlinkSync(paramsFile); } catch (e) {} | ||
@@ -97,0 +115,0 @@ try { common.unlinkSync(stderrFile); } catch (e) {} |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
212044
3237