sanitizeShellString() and other security improvements

lib/internet.js

@@ -13,7 +13,7 @@
 // 12. Internet
 // ----------------------------------------------------------------------------------
 
-const exec = require('child_process').exec;
+// const exec = require('child_process').exec;
 const execFile = require('child_process').execFile;
 const util = require('./util');
 
@@ -46,11 +46,12 @@ function inetChecksite(url, callback) {
       }
       let urlSanitized = '';
       const s = util.sanitizeShellString(url, true);
-      for (let i = 0; i <= 2000; i++) {
+      const mathMin = util.mathMin;
+      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();
-          if (sl && sl[0] && !sl[1]) {
+          if (sl && sl[0] && !sl[1] && sl[0].length === 1) {
             urlSanitized = urlSanitized + sl[0];
           }
         }
@@ -65,12 +66,14 @@ function inetChecksite(url, callback) {
           }
           let t = Date.now();
           if (_linux || _freebsd || _openbsd || _netbsd || _darwin || _sunos) {
-            let args = ' -I --connect-timeout 5 -m 5 ' + urlSanitized + ' 2>/dev/null | head -n 1 | cut -d " " -f2';
+            let args = ['-I', '--connect-timeout', '5', '-m', '5'];
+            args.push(urlSanitized);
             let cmd = 'curl';
-            exec(cmd + args, function (error, stdout) {
-              let statusCode = parseInt(stdout.toString());
+            util.execSave(cmd, args).then((stdout) => {
+              const lines = stdout.split('\n');
+              let statusCode = lines[0] && lines[0].indexOf(' ') >= 0 ? parseInt(lines[0].split(' ')[1], 10) : 404;
               result.status = statusCode || 404;
-              result.ok = !error && (statusCode === 200 || statusCode === 301 || statusCode === 302 || statusCode === 304);
+              result.ok = (statusCode === 200 || statusCode === 301 || statusCode === 302 || statusCode === 304);
               result.ms = (result.ok ? Date.now() - t : null);
               if (callback) { callback(result); }
               resolve(result);
@@ -142,7 +145,8 @@ function inetLatency(host, callback) {
       }
       let hostSanitized = '';
       const s = (util.isPrototypePolluted() ? '8.8.8.8' : util.sanitizeShellString(host, true)).trim();
-      for (let i = 0; i <= 2000; i++) {
+      const mathMin = util.mathMin;
+      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           s[i].__proto__.toLowerCase = util.stringToLower;
           const sl = s[i].toLowerCase();
@@ -171,10 +175,10 @@ function inetLatency(host, callback) {
           params = '-c2 -t3 ' + hostSanitized;
           filt = 'avg';
         }
-        execFile('ping', params.split(' '), function (error, stdout) {
+        util.execSave('ping', params.split(' ')).then((stdout) => {
           let result = null;
-          if (!error) {
-            const lines = stdout.toString().split('\n').filter(line => line.indexOf(filt) >= 0).join('\n');
+          if (stdout) {
+            const lines = stdout.split('\n').filter(line => line.indexOf(filt) >= 0).join('\n');
 
             const line = lines.split('=');
             if (line.length > 1) {
@@ -191,10 +195,10 @@ function inetLatency(host, callback) {
       if (_sunos) {
         const params = '-s -a ' + hostSanitized + ' 56 2';
         const filt = 'avg';
-        execFile('ping', params.split(' '), { timeout: 3000 }, function (error, stdout) {
+        util.execSave('ping', params.split(' '), { timeout: 3000 }).then((stdout) => {
           let result = null;
-          if (!error) {
-            const lines = stdout.toString().split('\n').filter(line => line.indexOf(filt) >= 0).join('\n');
+          if (stdout) {
+            const lines = stdout.split('\n').filter(line => line.indexOf(filt) >= 0).join('\n');
             const line = lines.split('=');
             if (line.length > 1) {
               const parts = line[1].split('/');

lib/network.js

@@ -1061,7 +1061,8 @@ function networkStatsSingle(iface) {
     process.nextTick(() => {
       let ifaceSanitized = '';
       const s = util.isPrototypePolluted() ? '---' : util.sanitizeShellString(iface);
-      for (let i = 0; i <= 2000; i++) {
+      const mathMin = util.mathMin;
+      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           ifaceSanitized = ifaceSanitized + s[i];
         }

lib/processes.js

@@ -111,7 +111,8 @@ function services(srv, callback) {
         srvString.__proto__.trim = util.stringTrim;
 
         const s = util.sanitizeShellString(srv);
-        for (let i = 0; i <= 2000; i++) {
+        const mathMin = util.mathMin;
+        for (let i = 0; i <= mathMin(s.length, 2000); i++) {
           if (!(s[i] === undefined)) {
             srvString = srvString + s[i];
           }
@@ -164,15 +165,15 @@ function services(srv, callback) {
               }
             }
           }
-          if ((_darwin) && srvString === '*') { // service enumeration mnot yet suported on mac OS
+          if ((_darwin) && srvString === '*') { // service enumeration not yet suported on mac OS
             if (callback) { callback(result); }
             resolve(result);
           }
-          let comm = (_darwin) ? 'ps -caxo pcpu,pmem,pid,command' : 'ps -axo pcpu,pmem,pid,command';
+          let args = (_darwin) ? ['-caxo', 'pcpu,pmem,pid,command'] : ['-axo', 'pcpu,pmem,pid,command'];
           if (srvString !== '' && srvs.length > 0) {
-            exec(comm + ' | grep -v grep | grep -iE "' + srvString + '"', { maxBuffer: 1024 * 20000 }, function (error, stdout) {   // lgtm [js/shell-command-constructed-from-input]
-              if (!error) {
-                let lines = stdout.toString().replace(/ +/g, ' ').replace(/,+/g, '.').split('\n');
+            util.execSave('ps', args).then((stdout) => {
+              if (stdout) {
+                let lines = stdout.replace(/ +/g, ' ').replace(/,+/g, '.').split('\n');
                 srvs.forEach(function (srv) {
                   let ps;
                   if (_darwin) {
@@ -267,9 +268,10 @@ function services(srv, callback) {
                   resolve(result);
                 }
               } else {
-                exec('ps -o comm | grep -v grep | egrep "' + srvString + '"', { maxBuffer: 1024 * 20000 }, function (error, stdout) {   // lgtm [js/shell-command-constructed-from-input]
-                  if (!error) {
-                    let lines = stdout.toString().replace(/ +/g, ' ').replace(/,+/g, '.').split('\n');
+                args = ['-o', 'comm'];
+                util.execSave('ps', args).then((stdout) => {
+                  if (stdout) {
+                    let lines = stdout.replace(/ +/g, ' ').replace(/,+/g, '.').split('\n');
                     srvs.forEach(function (srv) {
                       let ps = lines.filter(function (e) {
                         return e.indexOf(srv) !== -1;
@@ -909,7 +911,8 @@ function processLoad(proc, callback) {
       processesString.__proto__.trim = util.stringTrim;
 
       const s = util.sanitizeShellString(proc);
-      for (let i = 0; i <= 2000; i++) {
+      const mathMin = util.mathMin;
+      for (let i = 0; i <= mathMin(s.length, 2000); i++) {
         if (!(s[i] === undefined)) {
           processesString = processesString + s[i];
         }

lib/util.js

@@ -58,6 +58,7 @@ const stringToString = new String().toString;
 const stringSubstr = new String().substr;
 const stringTrim = new String().trim;
 const stringStartWith = new String().startsWith;
+const mathMin = Math.min;
 
 function isFunction(functionToCheck) {
   let getType = {};
@@ -389,6 +390,42 @@ function powerShell(cmd) {
   });
 }
 
+function execSave(cmd, args, options) {
+  let result = '';
+  options = options || {};
+
+  return new Promise((resolve) => {
+    process.nextTick(() => {
+      try {
+        const child = spawn(cmd, args, options);
+
+        if (child && !child.pid) {
+          child.on('error', function () {
+            resolve(result);
+          });
+        }
+        if (child && child.pid) {
+          child.stdout.on('data', function (data) {
+            result += data.toString();
+          });
+          child.on('close', function () {
+            child.kill();
+            resolve(result);
+          });
+          child.on('error', function () {
+            child.kill();
+            resolve(result);
+          });
+        } else {
+          resolve(result);
+        }
+      } catch (e) {
+        resolve(result);
+      }
+    });
+  });
+}
+
 function getCodepage() {
   if (_windows) {
     if (!codepage) {
@@ -506,7 +543,7 @@ function countLines(lines, startingWith) {
 function sanitizeShellString(str, strict = false) {
   const s = str || '';
   let result = '';
-  for (let i = 0; i <= 2000; i++) {
+  for (let i = 0; i <= mathMin(s.length, 2000); i++) {
     if (!(s[i] === undefined ||
       s[i] === '>' ||
       s[i] === '<' ||
@@ -925,6 +962,7 @@ exports.wmic = wmic;
 exports.darwinXcodeExists = darwinXcodeExists;
 exports.getVboxmanage = getVboxmanage;
 exports.powerShell = powerShell;
+exports.execSave = execSave;
 exports.nanoSeconds = nanoSeconds;
 exports.countUniqueLines = countUniqueLines;
 exports.countLines = countLines;
@@ -943,5 +981,6 @@ exports.stringToString = stringToString;
 exports.stringSubstr = stringSubstr;
 exports.stringTrim = stringTrim;
 exports.stringStartWith = stringStartWith;
+exports.mathMin = mathMin;
 exports.WINDIR = WINDIR;
 exports.getFilesInPath = getFilesInPath;