escape printed characters to prevent command injection #45

2021-02-21 12:34:33 +01:00
parent 45a3669443
commit 1260eea690
4 changed files with 72 additions and 22 deletions
--- a/src/application/Context/State/Code/Generation/Languages/BatchBuilder.ts
+++ b/src/application/Context/State/Code/Generation/Languages/BatchBuilder.ts
@@ -5,6 +5,12 @@ export class BatchBuilder extends CodeBuilder {
        return '::';
    }
    protected writeStandardOut(text: string): string {
-        return `echo ${text}`;
+        return `echo ${escapeForEcho(text)}`;
    }
 }
+
+function escapeForEcho(text: string) {
+    return text
+        .replace(/&/g, '^&')
+        .replace(/%/g, '%%');
+}
--- a/src/application/Context/State/Code/Generation/Languages/ShellBuilder.ts
+++ b/src/application/Context/State/Code/Generation/Languages/ShellBuilder.ts
@@ -5,6 +5,11 @@ export class ShellBuilder extends CodeBuilder {
        return '#';
    }
    protected writeStandardOut(text: string): string {
-        return `echo '${text}'`;
+        return `echo '${escapeForEcho(text)}'`;
    }
 }
+
+function escapeForEcho(text: string) {
+    return text
+        .replace(/'/g, '\'\\\'\'');
+}