inetChecksite() fixed vulnerability: command injection

2020-10-26 10:53:59 +01:00
parent 443d85e3b8
commit 931fecaec2
4 changed files with 14 additions and 2 deletions
@@ -34,7 +34,13 @@ function inetChecksite(url, callback) {
  return new Promise((resolve) => {
    process.nextTick(() => {

-      const urlSanitized = util.sanitizeShellString(url).toLowerCase();
+      let urlSanitized = util.sanitizeShellString(url).toLowerCase();
+      urlSanitized = urlSanitized.replace(/ /g, '');
+      urlSanitized = urlSanitized.replace(/\$/g, '');
+      urlSanitized = urlSanitized.replace(/\(/g, '');
+      urlSanitized = urlSanitized.replace(/\)/g, '');
+      urlSanitized = urlSanitized.replace(/{/g, '');
+      urlSanitized = urlSanitized.replace(/}/g, '');
      let result = {
        url: urlSanitized,
        ok: false,