sanitizeShellString() and other security improvements

2021-03-15 11:42:12 +01:00 · 2021-03-15 11:42:12 +01:00 · 0be6fcd575
commit 0be6fcd575
parent 7922366d70
4 changed files with 6 additions and 11 deletions
--- a/lib/docker.js
+++ b/lib/docker.js
@ -470,7 +470,7 @@ function dockerContainerStats(containerIDs, callback) {
        if (containerIDsSanitized !== '*') {
          containerIDsSanitized = '';
          const s = (util.isPrototypePolluted() ? '' : util.sanitizeShellString(containerIDs, true)).trim();
-          for (let i = 0; i <= 2000; i++) {
+          for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
            if (!(s[i] === undefined)) {
              s[i].__proto__.toLowerCase = util.stringToLower;
              const sl = s[i].toLowerCase();
--- a/lib/internet.js
+++ b/lib/internet.js
@ -46,8 +46,7 @@ function inetChecksite(url, callback) {
      }
      let urlSanitized = '';
      const s = util.sanitizeShellString(url, true);
-      const mathMin = util.mathMin;
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
        if (!(s[i] === undefined)) {
          s[i].__proto__.toLowerCase = util.stringToLower;
          const sl = s[i].toLowerCase();
@ -145,8 +144,7 @@ function inetLatency(host, callback) {
      }
      let hostSanitized = '';
      const s = (util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host, true)).trim();
-      const mathMin = util.mathMin;
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
        if (!(s[i] === undefined)) {
          s[i].__proto__.toLowerCase = util.stringToLower;
          const sl = s[i].toLowerCase();
--- a/lib/network.js
+++ b/lib/network.js
@ -1061,8 +1061,7 @@ function networkStatsSingle(iface) {
    process.nextTick(() => {
      let ifaceSanitized = '';
      const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
-      const mathMin = util.mathMin;
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
        if (!(s[i] === undefined)) {
          ifaceSanitized = ifaceSanitized + s[i];
        }
--- a/lib/processes.js
+++ b/lib/processes.js
@ -111,8 +111,7 @@ function services(srv, callback) {
        srvString.__proto__.trim = util.stringTrim;
        const s = util.sanitizeShellString(srv);
-        const mathMin = util.mathMin;
+        for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
        for (let i = 0; i <= mathMin(s.length, 2000); i++) {
          if (!(s[i] === undefined)) {
            srvString = srvString + s[i];
          }
@ -911,8 +910,7 @@ function processLoad(proc, callback) {
      processesString.__proto__.trim = util.stringTrim;
      const s = util.sanitizeShellString(proc);
-      const mathMin = util.mathMin;
+      for (let i = 0; i <= util.mathMin(s.length, 2000); i++) {
      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
        if (!(s[i] === undefined)) {
          processesString = processesString + s[i];
        }