Replace child_process.exec by child_process.spawnSync (#428)

child_process.exec uses a shell to parse and launch command. Since here some arguments comes from external, it's unsecured. This MR uses spawnSync instead.
linagora · Mar 11, 2024 · faa42c2 · faa42c2
1 parent 423e7f2
commit faa42c2
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 44 deletions.
diff --git a/tdrive/backend/utils/nextcloud-migration/src/nextcloud_migration.ts b/tdrive/backend/utils/nextcloud-migration/src/nextcloud_migration.ts
@@ -1,4 +1,4 @@
-import { exec } from 'child_process';
+import { spawnSync } from 'child_process';
 // @ts-ignore
 import fs from 'fs';
 import { ShellLdapUserProvider } from './shell_ldap_user';
@@ -65,23 +65,22 @@ export class NextcloudMigration {
 
   async download(username: string, password: string, dir: string) {
     return new Promise((resolve, reject) => {
-      let cmd = `nextcloudcmd -s --non-interactive -u '${username}' -p '${password}' ${dir} ${this.config.nextcloudUrl}`;
+      let args = [ '-s', '--non-interactive', '-u', username, '-p', password, dir, this.config.nextcloudUrl];
       console.log('Start downloading data from Nextcloud');
-      exec(cmd, (error, stdout, stderr) => {
-        if (stderr) {
-          console.log('ERROR: ' + stderr);
-        }
-        if (stdout) {
-          console.log('OUT: ' + stdout);
-        }
-        if (error) {
-          console.log(`ERROR running sync for the user: ${error.message}`);
-          reject(error.message);
-        } else {
-          console.log('Download finished');
-          resolve('');
-        }
-      });
+      const ret = spawnSync('nextcloudcmd', args);
+      if (ret.stderr) {
+        console.log('ERROR:', ret.stderr.toString());
+      }
+      if (ret.stdout) {
+        console.log('OUT: ', ret.stdout.toString());
+      }
+      if (ret.error) {
+        console.log(`ERROR running sync for the user: ${ret.error.message}`);
+        reject(ret.error.message);
+      } else {
+        console.log('Download finished');
+        resolve('');
+      }
     });
   }
 

diff --git a/tdrive/backend/utils/nextcloud-migration/src/shell_ldap_user.ts b/tdrive/backend/utils/nextcloud-migration/src/shell_ldap_user.ts
@@ -1,5 +1,5 @@
 import { LdapConfiguration } from './ldap_user';
-import { exec } from 'child_process';
+import { spawnSync } from 'child_process';
 import ldif from 'ldif';
 import { logger } from "./logger"
 import { User, UserProvider } from "./user_privider";
@@ -14,37 +14,37 @@ export class ShellLdapUserProvider implements UserProvider {
 
   async find(username: string): Promise<User> {
     return new Promise<User>((resolve, reject) => {
-      let cmd = `ldapsearch -x -H ${this.config.url} -b '${this.config.baseDn}' '(uid=${username})'`;
+      const args = [ '-x', '-H', this.config.url, '-b', this.config.baseDn, `(uid=${username})` ];
       logger.info("Executing command to get data from LDAP for " + username);
-      exec(cmd, (error, stdout, stderr) => {
-        if (stderr) {
-          logger.info("ERROR: " + stderr);
-        }
-        if (error) {
-          logger.info(`ERROR running sync for the user: ${error.message}`);
-          reject(new Error(error.message));
-        } else {
-          if (stdout) {
-            try {
-              if (stdout.lastIndexOf("# search result") > 0) {
-                stdout = stdout.substring(0, stdout.lastIndexOf("# search result"))
-              }
-              let obj =  ldif.parse(stdout).shift().toObject({});
-              resolve({
-                lastName: obj.attributes.sn,
-                firstName: obj.attributes.givenName,
-                email: obj.attributes.mail,
-                uid: obj.attributes.uid} as User);
-            } catch (e) {
-              console.error(e)
-              resolve({ } as User);
+      const ret = spawnSync('ldapsearch', args);
+      if (ret.stderr) {
+        logger.info("ERROR:", ret.stderr);
+      }
+      if (ret.error) {
+        logger.info(`ERROR running sync for the user: ${ret.error.message}`);
+        reject(new Error(ret.error.message));
+      } else {
+        if (ret.stdout) {
+          let stdout = ret.stdout.toString();
+          try {
+            if (ret.stdout.lastIndexOf("# search result") > 0) {
+              stdout = stdout.substring(0, stdout.lastIndexOf("# search result"))
             }
-          } else {
-            logger.info("No user");
+            let obj =  ldif.parse(stdout).shift().toObject({});
+            resolve({
+              lastName: obj.attributes.sn,
+              firstName: obj.attributes.givenName,
+              email: obj.attributes.mail,
+              uid: obj.attributes.uid} as User);
+          } catch (e) {
+            console.error(e)
             resolve({ } as User);
           }
+        } else {
+          logger.info("No user");
+          resolve({ } as User);
         }
-      });
+      }
     });
   }