Merge pull request from GHSA-rj44-gpjc-29r7

fix(egf): update GPG invocation to avoid arb code exec
thi-ng · Mar 27, 2021 · 88f6165 · 88f6165
2 parents c3f5ec1 + 3e14765
commit 88f6165
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/packages/egf/src/tags.ts b/packages/egf/src/tags.ts
@@ -1,7 +1,7 @@
 import type { IObjectOf } from "@thi.ng/api";
 import { maybeParseFloat, maybeParseInt, unescape } from "@thi.ng/strings";
 import { base64Decode } from "@thi.ng/transducers-binary";
-import { execSync } from "child_process";
+import { execFileSync } from "child_process";
 import { readFileSync } from "fs";
 import { resolve as resolvePath } from "path";
 import { IS_NODE, NODE_ONLY, TagParser } from "./api";
@@ -24,7 +24,9 @@ export const BUILTINS: IObjectOf<TagParser> = {
     gpg: IS_NODE
         ? (_, body, ctx) =>
               (ctx.opts.decrypt
-                  ? execSync(`echo "${body}" | gpg --decrypt`).toString()
+                  ? execFileSync("gpg", ["--decrypt"], {
+                        input: body,
+                    }).toString()
                   : body
               ).trim()
         : NODE_ONLY,