Add test for reported vulnerabilities

.npmignore

@@ -1,3 +1,4 @@
 .*
 *.log
 spec.js
+vulnerabilities/*

lib/reset/index.js

@@ -8,7 +8,7 @@ const exec = require('async-execute');
  */
 module.exports = async function(destination, { hard = true } = {}) {
  if (destination && typeof destination === 'string') {
- return await exec(`git reset ${destination} ${hard ? '--hard' : ''}`);
+ return await exec(`git reset ${JSON.stringify(destination)} ${hard ? '--hard' : ''}`);
  }
 
  if (destination && typeof destination === 'number') {

lib/reset/spec.js

@@ -32,7 +32,7 @@ describe('lib/reset', async() => {
 
  it('Should hard reset to a given sha', async() => {
  reset('shaid');
- expect(exec.getCall(0).args[0]).to.equal('git reset shaid --hard');
+ expect(exec.getCall(0).args[0]).to.equal('git reset "shaid" --hard');
  });
 
  it('Should hard reset to n commits back', async() => {
@@ -47,6 +47,6 @@ describe('lib/reset', async() => {
 
  it('Should reset w/o hard argument', async() => {
  reset('shaid', { hard: false });
- expect(exec.getCall(0).args[0].trim()).to.equal('git reset shaid');
+ expect(exec.getCall(0).args[0].trim()).to.equal('git reset "shaid"');
  });
 });

lib/tag/index.js

@@ -16,6 +16,6 @@ module.exports = async function(tag) {
  exec(`git config user.name "${await author}"`),
  exec(`git config user.email "${await email}"`),
  ]);
- await exec(`git tag -a ${tag} -m "${await message}"`);
- await exec(`git push origin refs/tags/${tag}`);
+ await exec(`git tag -a ${JSON.stringify(tag)} -m "${await message}"`);
+ await exec(`git push origin ${JSON.stringify(`refs/tags/${tag}`)}`);
 };

lib/tag/spec.js

@@ -31,7 +31,7 @@ describe('lib/tag', async() => {
  dummy.stub = command => lines.push(command);
 
  await gitTag('1.1.1');
- expect(lines).to.include('git tag -a 1.1.1 -m "this is a message"');
- expect(lines).to.include('git push origin refs/tags/1.1.1');
+ expect(lines).to.include('git tag -a "1.1.1" -m "this is a message"');
+ expect(lines).to.include('git push origin "refs/tags/1.1.1"');
  });
 });

package.json

@@ -1,6 +1,6 @@
 {
  "name": "async-git",
- "version": "1.13.0",
+ "version": "1.13.1",
  "description": "👾 Retrieve data from current git repository",
  "keywords": [
  "git",
@@ -33,6 +33,7 @@
  "async-execute": "^1.1.0"
  },
  "devDependencies": {
+ "@lets/wait": "^2.0.2",
  "@omrilotan/eslint-config": "^1.1.0",
  "abuser": "^2.0.2",
  "chai": "^4.2.0",

vulnerabilities/spec.js

@@ -0,0 +1,46 @@
+const { promises: { access, unlink } } = require('fs');
+const wait = require('@lets/wait');
+const git = require('..');
+
+/**
+ * Check if file exists
+ * @param {string}
+ * @returns {boolean}
+ */
+const exists = async path => {
+ try {
+ await access(path);
+ return true;
+ } catch {
+ return false;
+ }
+};
+
+/**
+ * Fail silently and asynchronously
+ * @param {function}
+ * @param {...any}
+ * @returns {any}
+ */
+async function softly(fn, ...args) {
+ try {
+ return await fn(...args);
+ } catch (error) {
+ // ignore
+ }
+}
+
+describe('vulnerabilities', async() => {
+ afterEach(async() => {
+ await wait(100);
+ await softly(unlink, 'HACKED');
+ });
+ it('shell injection in reset', async() => {
+ await softly(git.reset, '; touch HACKED #');
+ expect(await exists('HACKED')).to.be.false;
+ });
+ it('shell injection in tag', async() => {
+ await softly(git.tag, '; touch HACKED #');
+ expect(await exists('HACKED')).to.be.false;
+ });
+});