mirror of
https://github.com/balena-io/etcher.git
synced 2025-07-17 08:16:32 +00:00
fix(GUI): surround paths in double quotes before elevating (#779)
This PR makes sure every command line argument that represents an absolute path is surrounded by double quotes, to avoid any potential escaping issue. This simplifies a lot the various special character escaping routines we had in place, since we now only have to make sure double quotes inside the paths are escaped. Fixes: https://github.com/resin-io/etcher/issues/773 Change-Type: patch Changelog-Entry: Prevent escaping issues during elevation by surrounding paths in double quotes. Signed-off-by: Juan Cruz Viotti <jviotti@openmailbox.org>
This commit is contained in:
parent
b6817cfbb3
commit
fdbb7673a6
@ -16,9 +16,6 @@
|
|||||||
|
|
||||||
'use strict';
|
'use strict';
|
||||||
|
|
||||||
const _ = require('lodash');
|
|
||||||
const os = require('os');
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @summary Get the explicit boolean form of an argument
|
* @summary Get the explicit boolean form of an argument
|
||||||
* @function
|
* @function
|
||||||
@ -72,17 +69,7 @@ exports.getBooleanArgumentForm = (argumentName, value) => {
|
|||||||
exports.getCLIWriterArguments = (options) => {
|
exports.getCLIWriterArguments = (options) => {
|
||||||
const argv = [
|
const argv = [
|
||||||
options.entryPoint,
|
options.entryPoint,
|
||||||
_.attempt(() => {
|
options.image,
|
||||||
if (os.platform() === 'win32') {
|
|
||||||
return options.image;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Parenthesis and quotes need to be manually escaped, otherwise
|
|
||||||
// bash will complain about syntax errors when passing this
|
|
||||||
// string as an argument to the writer proxy script.
|
|
||||||
return options.image.replace(/([\(\)'"])/g, '\\$1');
|
|
||||||
|
|
||||||
}),
|
|
||||||
'--robot',
|
'--robot',
|
||||||
'--drive',
|
'--drive',
|
||||||
options.device,
|
options.device,
|
||||||
@ -98,20 +85,3 @@ exports.getCLIWriterArguments = (options) => {
|
|||||||
|
|
||||||
return argv;
|
return argv;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
|
||||||
* @summary Escape white spaces from arguments
|
|
||||||
* @function
|
|
||||||
* @public
|
|
||||||
*
|
|
||||||
* @param {String[]} argv - argv
|
|
||||||
* @returns {String[]} escaped arguments
|
|
||||||
*
|
|
||||||
* @example
|
|
||||||
* const escapedArguments = utils.escapeWhiteSpacesFromArguments(process.argv);
|
|
||||||
*/
|
|
||||||
exports.escapeWhiteSpacesFromArguments = (argv) => {
|
|
||||||
return _.map(argv, (argument) => {
|
|
||||||
return argument.replace(/\s/g, '\\ ');
|
|
||||||
});
|
|
||||||
};
|
|
||||||
|
@ -26,7 +26,6 @@ const path = require('path');
|
|||||||
const sudoPrompt = Bluebird.promisifyAll(require('sudo-prompt'));
|
const sudoPrompt = Bluebird.promisifyAll(require('sudo-prompt'));
|
||||||
const EXIT_CODES = require('../exit-codes');
|
const EXIT_CODES = require('../exit-codes');
|
||||||
const packageJSON = require('../../../package.json');
|
const packageJSON = require('../../../package.json');
|
||||||
const utils = require('./utils');
|
|
||||||
|
|
||||||
// This script is in charge of spawning the writer process and
|
// This script is in charge of spawning the writer process and
|
||||||
// ensuring it has the necessary privileges. It might look a bit
|
// ensuring it has the necessary privileges. It might look a bit
|
||||||
@ -75,7 +74,7 @@ return isElevated().then((elevated) => {
|
|||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
const command = _.attempt(() => {
|
const commandArguments = _.attempt(() => {
|
||||||
const commandPrefix = [
|
const commandPrefix = [
|
||||||
|
|
||||||
// Some elevation tools, like `pkexec` or `kdesudo`, don't
|
// Some elevation tools, like `pkexec` or `kdesudo`, don't
|
||||||
@ -104,15 +103,19 @@ return isElevated().then((elevated) => {
|
|||||||
|
|
||||||
return commandPrefix
|
return commandPrefix
|
||||||
.concat([ process.env.APPIMAGE ])
|
.concat([ process.env.APPIMAGE ])
|
||||||
.concat(utils.escapeWhiteSpacesFromArguments(translatedArguments))
|
.concat(translatedArguments);
|
||||||
.join(' ');
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return commandPrefix.concat(
|
return commandPrefix.concat(process.argv);
|
||||||
utils.escapeWhiteSpacesFromArguments(process.argv)
|
|
||||||
).join(' ');
|
|
||||||
});
|
});
|
||||||
|
|
||||||
|
const command = _.join(_.map(commandArguments, (argument) => {
|
||||||
|
return `"${argument.replace(/(")/g, '\\$1')}"`;
|
||||||
|
}), ' ');
|
||||||
|
|
||||||
|
// For debugging purposes
|
||||||
|
console.log(`Running: ${command}`);
|
||||||
|
|
||||||
return sudoPrompt.execAsync(command, {
|
return sudoPrompt.execAsync(command, {
|
||||||
name: packageJSON.displayName
|
name: packageJSON.displayName
|
||||||
}).then((stdout, stderr) => {
|
}).then((stdout, stderr) => {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user