Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module
On Thu, 2018-01-11 at 09:02 +0100, Paolo Greppi wrote: > So I have posted this: > https://github.com/yarnpkg/yarn/issues/5208 Thanks for that. BTW, the efficiency from this change is pretty minor, the major improvement is security. Not using the shell version of the function completely eliminates all possibility of shell metachar injection. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module
Il 11/01/2018 03:41, Paul Wise ha scritto: > On Wed, Jan 10, 2018 at 9:56 PM, Paolo Greppi wrote: > >> A Node.js module that provides a simple and platform-agnostic way >> to build shell commands with arguments that pass through your shell >> unaltered and with no unsafe side effects, whether you are running >> on Windows or a Unix-based OS. > > Uh, it would be much better to bypass the shell and use > child_process.execFile(). > Please ask anything depending on node-puka to instead use that. > > http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/ Thanks for the suggestion, it's a useful optimization and I'd love to drop this ITP and do without puka ! But I don't feel I can patch yarn myself to use execFile rather than exec: this is a change that upstream should implement. So I have posted this: https://github.com/yarnpkg/yarn/issues/5208 Let's see how they react Paolo
Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module
On Wed, Jan 10, 2018 at 9:56 PM, Paolo Greppi wrote: > A Node.js module that provides a simple and platform-agnostic way > to build shell commands with arguments that pass through your shell > unaltered and with no unsafe side effects, whether you are running > on Windows or a Unix-based OS. Uh, it would be much better to bypass the shell and use child_process.execFile(). Please ask anything depending on node-puka to instead use that. http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/ -- bye, pabs https://wiki.debian.org/PaulWise
Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module
Package: wnpp Severity: wishlist Owner: Paolo Greppi* Package name: node-puka Version : 1.0.0 Upstream Author : Ryan Hendrickson * URL : https://gitlab.com/rhendric/puka * License : Expat Programming Lang: JavaScript Description : Safely pass strings through shells - Node.js module A Node.js module that provides a simple and platform-agnostic way to build shell commands with arguments that pass through your shell unaltered and with no unsafe side effects, whether you are running on Windows or a Unix-based OS. . It is useful when launching a child process from Node.js using a shell (as with child_process.exec); in that case you have to construct your command as a single string instead of using an array of arguments. And doing that can be buggy (if not dangerous) if you don't take care to quote any arguments correctly for the shell you're targeting, and the quoting has to be done differently on Windows and non-Windows shells. . Node.js is an event-based server-side JavaScript engine. This is required for node-yarnpkg, see ITP: https://bugs.debian.org/843021 My intention is to package it within the JavaScript maintainers team. It will be built with rollup, and requires: - rollup-plugin-babel, ITP: http://bugs.debian.org/886404 - rollup-plugin-cleanup The repo will be on salsa: https://salsa.debian.org/js-team/node-puka Paolo