Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace execSync with spawnSync #482

Open
inkz opened this issue Feb 26, 2025 · 0 comments
Open

Replace execSync with spawnSync #482

inkz opened this issue Feb 26, 2025 · 0 comments
Labels
问题反馈 反馈问题帮助我们改进 VanBlog

Comments

@inkz
Copy link

inkz commented Feb 26, 2025

问题描述 | Describe the bug

Currently, the codebase uses child_process.execSync,
https://github.com/Mereithhh/vanblog/blob/master/packages/server/src/utils/deleteFolder.ts#L3
which is vulnerable to command injection, as the user input is passed.

To enhance security, please replace execSync with spawnSync from child_process, which provides better control over argument handling and avoids shell interpretation issues.
e.g.

execSync('rm', ['-rf', p]);

复现网址 | Website URL

版本 | Version

部署方式? | How do you deploy vanblog?

Docker 部署(文档默认)
@inkz inkz added the 问题反馈 反馈问题帮助我们改进 VanBlog label Feb 26, 2025
@CornWorld CornWorld mentioned this issue Mar 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
问题反馈 反馈问题帮助我们改进 VanBlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@inkz