New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: new alternative to exec #524
Conversation
@ariporad Please go ahead and start reviewing. The fixes for the test failures should be pretty trivial (some of them are with the tests themselves). This way I can knock out all the fixes at once. |
LGTM! This is really great, I think that we should consider building a new exec on top of it. |
I'll see if I can figure out why this is failing on unix. This will never pass on v0.10, so I think it's time to remove that from Travis (the version already wasn't supported by us). This is currently blocked by #525 #523 #522 and shelljs/shx#81, so help with those issues would be appreciated. |
f52fa45
to
e7bd06a
Compare
Hi, @nfischer. what's time your PR will be merged into master? |
@detailyang thanks for the follow up. I'll try to put in some work on this PR this week. I believe most of the blocking issues are now resolved. This just needs to be rebased on top of master and the tests need to be rewritten to use ava. |
e7bd06a
to
a949406
Compare
This is now rebased and tests are refactored. This is currently blocked on #633, and I need to check that I've properly taken advantage of the PRs that this was previously blocked by. |
TODO list (in no particular order):
|
Hi, @nfischer. what's time your PR will be merged into master? |
@zhiqunq this is still slated for v0.8. I haven't had time to pick it back up. I'm waiting to wrap this up so that I can be confident it fixes all of the major issues with |
Hope to see this soon! |
Unfortunately, I don't have a whole lot of time for OSS right now, so this will probably take a month or two. |
src/child.js
Outdated
// Wait to exit until all other work has been finished, like closing IO streams | ||
function delayedExit(code) { | ||
setTimeout(function () { | ||
process.exit(code); // let streams close before ending |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this use process.exitCode = code
instead?
Based on the warning from https://nodejs.org/api/process.html#process_process_exit_code
It is important to note that calling process.exit() will force the process to exit as quickly as possible even if there are still asynchronous operations pending that have not yet completed fully, including I/O operations to process.stdout and process.stderr.
(Which seems to imply it might not actually let the streams close/flush correctly?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is better, thanks!
On second thought, I'm not completely sure if delayedExit
would've worked. It posts a timeout to work around this, but that might not actually work if streams are buffered after the process finishes.
@nfischer Thanks for your work on this. It's a very useful feature. Looking forward to it. |
@nfischer thanks for good work here, we still good to have it in v0.8 ? |
Update: I'm trying to harden I almost have that working, and it's cleaning up quite a bit of code. After we land that, there should be a little bit of clean-up work, and then it should be easy to revisit this PR (and build a secure-by-default API!). Thanks for your patience! |
Bumping this back to v0.9. I want to release the hardened exec changes under v0.8 (still a minor security improvement). This will give us a chance to fix any bugs, and move forward with the new API. |
Any update for this? |
Updates:
|
Ok, so v0.8 is released! If you can, please try out the release, let us know if there are any new issues with |
We're looking forward to switching over to this more secure execution method! Any update? |
@igrayson I'm currently finishing up a local prototype. I will post a design doc in the next 2-ish weeks and upload a PR around the same time. Sorry this has dragged on so long, but this is indeed still on my radar (and thanks for asking about progress). |
Thank you all for your patience. I'm currently polishing up my prototype (it is going to take a slightly different approach from this PR). I've written a design doc, and I invite you all to comment on the design (in particular, please check the proposed design will work for your use case). Next steps:
|
New PR is up at #866! Closing this PR (and the other PR should be in a much more landable state than this one). |
If you've found this PR, please do not consider this a security fix. ShellJS does not have a security "vulnerability" to resolve, we have a poorly-designed API ( This PR is an obsolete attempt to provide a better API, but such a better API is not required for your modules to be secure. |
Update July 2019
Notice: this is not a security vulnerability, this is a prototype implementation for a feature request. Please see #945 for more context regarding security advisories.
Original message
Add a new command to launch external shell commands, providing a less vulnerable
alternative to exec(), with cross-platform globbing.
I'd love community input on the design of the new API, if this is an agreeable name, etc. This implementation would work well with shelljs-exec-proxy (see nfischer/shelljs-exec-proxy#2), which might be a better API alternative for Node v6+ users.
I believe this, in conjunction with
set('-f')
, should solve all the relevant security flaws surrounding command injection and unexpected globbing. Globbing is enabled by default in this implementation, for the sake of providing a consistent API across all commands.This relies on a JS-based implementation of globbing, which is an improvement on
exec()
, which inconsistently provides globbing on unix but not on windows.Fixes #143
Fixes #495
Fixes #103
I believe this should also help with #175, #5, shelljs/shx#68, and probably some others.