From 0a843826cee0f6f6ab7b5778644589c49999be8d Mon Sep 17 00:00:00 2001 From: Giovanni Date: Thu, 5 Dec 2024 17:45:22 +0100 Subject: [PATCH] child_process: validate strings in exec and spawn --- lib/child_process.js | 20 ++++++---- .../parallel/test-child-process-exec-error.js | 40 +++++++++++++++++-- test/parallel/test-child-process-execfile.js | 30 ++++++++++++++ .../test-child-process-spawn-error.js | 16 ++++++++ test/parallel/test-child-process-spawnsync.js | 15 +++++++ 5 files changed, 110 insertions(+), 11 deletions(-) diff --git a/lib/child_process.js b/lib/child_process.js index 3fb21f755be3d7b..1c7a3ddfc107b07 100644 --- a/lib/child_process.js +++ b/lib/child_process.js @@ -186,8 +186,7 @@ function _forkChild(fd, serializationMode) { } function normalizeExecArgs(command, options, callback) { - validateString(command, 'command'); - validateArgumentNullCheck(command, 'command'); + validateStringParam(command, 'command'); if (typeof options === 'function') { callback = options; @@ -260,6 +259,8 @@ ObjectDefineProperty(exec, promisify.custom, { }); function normalizeExecFileArgs(file, args, options, callback) { + validateStringParam(file, 'file'); + if (ArrayIsArray(args)) { args = ArrayPrototypeSlice(args); } else if (args != null && typeof args === 'object') { @@ -535,12 +536,17 @@ function copyProcessEnvToEnv(env, name, optionEnv) { } } -function normalizeSpawnArguments(file, args, options) { - validateString(file, 'file'); - validateArgumentNullCheck(file, 'file'); +function validateStringParam(param, paramName) { + validateString(param, paramName); + validateArgumentNullCheck(param, paramName); + + if (param.length === 0) { + throw new ERR_INVALID_ARG_VALUE(paramName, param, 'cannot be empty'); + } +} - if (file.length === 0) - throw new ERR_INVALID_ARG_VALUE('file', file, 'cannot be empty'); +function normalizeSpawnArguments(file, args, options) { + validateStringParam(file, 'file'); if (ArrayIsArray(args)) { args = ArrayPrototypeSlice(args); diff --git a/test/parallel/test-child-process-exec-error.js b/test/parallel/test-child-process-exec-error.js index cd45f3071c2920d..59e661171556ca2 100644 --- a/test/parallel/test-child-process-exec-error.js +++ b/test/parallel/test-child-process-exec-error.js @@ -22,7 +22,7 @@ 'use strict'; const common = require('../common'); const assert = require('assert'); -const child_process = require('child_process'); +const { exec, execSync, execFile } = require('child_process'); function test(fn, code, expectPidType = 'number') { const child = fn('does-not-exist', common.mustCall(function(err) { @@ -35,10 +35,42 @@ function test(fn, code, expectPidType = 'number') { // With `shell: true`, expect pid (of the shell) if (common.isWindows) { - test(child_process.exec, 1, 'number'); // Exit code of cmd.exe + test(exec, 1, 'number'); // Exit code of cmd.exe } else { - test(child_process.exec, 127, 'number'); // Exit code of /bin/sh + test(exec, 127, 'number'); // Exit code of /bin/sh } // With `shell: false`, expect no pid -test(child_process.execFile, 'ENOENT', 'undefined'); +test(execFile, 'ENOENT', 'undefined'); + + +// Verify that the exec() function throws when command parameter is not a valid string +{ + assert.throws(() => { + exec(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + exec('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + exec('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +} + + +// Verify that the execSync() function throws when command parameter is not a valid string +{ + assert.throws(() => { + execSync(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + execSync('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + execSync('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +} diff --git a/test/parallel/test-child-process-execfile.js b/test/parallel/test-child-process-execfile.js index c4dba6b3f9466f0..f1833eaa88d9c92 100644 --- a/test/parallel/test-child-process-execfile.js +++ b/test/parallel/test-child-process-execfile.js @@ -125,3 +125,33 @@ const execOpts = { encoding: 'utf8', shell: true, env: { ...process.env, NODE: p })); }); } + +// Verify that the execFile() function throws when the file parameter is not a valid string +{ + assert.throws(() => { + execFile(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + execFile('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + execFile('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +} + +// Verify that the execFileSync() function throws when file parameter is not a valid string +{ + assert.throws(() => { + execFileSync(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + execFileSync('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + execFileSync('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +} diff --git a/test/parallel/test-child-process-spawn-error.js b/test/parallel/test-child-process-spawn-error.js index ed1c8fac9f97ed5..0885ed52d796d4c 100644 --- a/test/parallel/test-child-process-spawn-error.js +++ b/test/parallel/test-child-process-spawn-error.js @@ -53,3 +53,19 @@ enoentChild.on('error', common.mustCall(function(err) { assert.strictEqual(err.path, enoentPath); assert.deepStrictEqual(err.spawnargs, spawnargs); })); + + +// Verify that the spawn() function throws when the file parameter is not a valid string +{ + assert.throws(() => { + spawn(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + spawn('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + spawn('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +} diff --git a/test/parallel/test-child-process-spawnsync.js b/test/parallel/test-child-process-spawnsync.js index 9ec125ea891689e..5d89af35db0de13 100644 --- a/test/parallel/test-child-process-spawnsync.js +++ b/test/parallel/test-child-process-spawnsync.js @@ -65,3 +65,18 @@ assert.deepStrictEqual(ret_err.spawnargs, ['bar']); ]; assert.deepStrictEqual(retUTF8.output, stringifiedDefault); } + +// Verify that the spawnSync() function throws when the file parameter is not a valid string +{ + assert.throws(() => { + spawnSync(123, common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_TYPE' }); + + assert.throws(() => { + spawnSync('', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); + + assert.throws(() => { + spawnSync('\u0000', common.mustNotCall()); + }, { code: 'ERR_INVALID_ARG_VALUE' }); +}