Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module

[Paul Wise]

On Thu, 2018-01-11 at 09:02 +0100, Paolo Greppi wrote:

> So I have posted this:
> https://github.com/yarnpkg/yarn/issues/5208

Thanks for that.

BTW, the efficiency from this change is pretty minor, the major
improvement is security. Not using the shell version of the function
completely eliminates all possibility of shell metachar injection.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


signature.asc
Description: This is a digitally signed message part

Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module

[Paolo Greppi]

Il 11/01/2018 03:41, Paul Wise ha scritto:
> On Wed, Jan 10, 2018 at 9:56 PM, Paolo Greppi wrote:
> 
>>  A Node.js module that provides a simple and platform-agnostic way
>>  to build shell commands with arguments that pass through your shell
>>  unaltered and with no unsafe side effects, whether you are running
>>  on Windows or a Unix-based OS.
> 
> Uh, it would be much better to bypass the shell and use
> child_process.execFile().
> Please ask anything depending on node-puka to instead use that.
> 
> http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/

Thanks for the suggestion, it's a useful optimization and I'd love to drop this 
ITP and do without puka !

But I don't feel I can patch yarn myself to use execFile rather than exec: this 
is a change that upstream should implement.

So I have posted this:
https://github.com/yarnpkg/yarn/issues/5208

Let's see how they react

Paolo

Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module

[Paul Wise]

On Wed, Jan 10, 2018 at 9:56 PM, Paolo Greppi wrote:

>  A Node.js module that provides a simple and platform-agnostic way
>  to build shell commands with arguments that pass through your shell
>  unaltered and with no unsafe side effects, whether you are running
>  on Windows or a Unix-based OS.

Uh, it would be much better to bypass the shell and use
child_process.execFile().
Please ask anything depending on node-puka to instead use that.

http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#886849: ITP: node-puka -- Safely pass strings through shells - Node.js module

[Paolo Greppi]

Package: wnpp
Severity: wishlist
Owner: Paolo Greppi 

* Package name: node-puka
  Version : 1.0.0
  Upstream Author : Ryan Hendrickson 
* URL : https://gitlab.com/rhendric/puka
* License : Expat
  Programming Lang: JavaScript
  Description : Safely pass strings through shells - Node.js module

 A Node.js module that provides a simple and platform-agnostic way
 to build shell commands with arguments that pass through your shell
 unaltered and with no unsafe side effects, whether you are running
 on Windows or a Unix-based OS.
 .
 It is useful when launching a child process from Node.js using a shell
 (as with child_process.exec); in that case you have to construct your
 command as a single string instead of using an array of arguments.
 And doing that can be buggy (if not dangerous) if you don't take care
 to quote any arguments correctly for the shell you're targeting, and
 the quoting has to be done differently on Windows and non-Windows shells.
 .
 Node.js is an event-based server-side JavaScript engine.

This is required for node-yarnpkg, see ITP:
https://bugs.debian.org/843021

My intention is to package it within the JavaScript maintainers team.

It will be built with rollup, and requires:
- rollup-plugin-babel, ITP: http://bugs.debian.org/886404
- rollup-plugin-cleanup

The repo will be on salsa:
https://salsa.debian.org/js-team/node-puka

Paolo