Fix vulnerability in git-loader: use execFile instead of exec (#2470)

dotansimha · web-flow · commit 6a966beee8ca · 2021-01-13T12:22:00.000+02:00
diff --git a/.changeset/green-cycles-drive.md b/.changeset/green-cycles-drive.md
@@ -0,0 +1,5 @@
+---
+'@graphql-tools/git-loader': patch
+---
+
+Fix vulnerability: use execFile instead of exec
diff --git a/packages/loaders/git/src/load-git.ts b/packages/loaders/git/src/load-git.ts
@@ -1,10 +1,10 @@
-import { exec, execSync } from 'child_process';
+import { execFile, execFileSync } from 'child_process';
 
 type Input = { ref: string; path: string };
 
 const createLoadError = (error: any) => new Error('Unable to load file from git: ' + error);
-const createCommand = ({ ref, path }: Input) => {
-  return `git show ${ref}:${path}`;
+const createCommand = ({ ref, path }: Input): string[] => {
+  return ['show', `${ref}:${path}`];
 };
 
 /**
@@ -13,7 +13,7 @@ const createCommand = ({ ref, path }: Input) => {
 export async function loadFromGit(input: Input): Promise<string | never> {
   try {
     return await new Promise((resolve, reject) => {
-      exec(createCommand(input), { encoding: 'utf-8', maxBuffer: 1024 * 1024 * 1024 }, (error, stdout) => {
+      execFile('git', createCommand(input), { encoding: 'utf-8', maxBuffer: 1024 * 1024 * 1024 }, (error, stdout) => {
         if (error) {
           reject(error);
         } else {
@@ -31,7 +31,7 @@ export async function loadFromGit(input: Input): Promise<string | never> {
  */
 export function loadFromGitSync(input: Input): string | never {
   try {
-    return execSync(createCommand(input), { encoding: 'utf-8' });
+    return execFileSync('git', createCommand(input), { encoding: 'utf-8' });
   } catch (error) {
     throw createLoadError(error);
   }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@graphql-tools/git-loader': patch
 +---
++
 +Fix vulnerability: use execFile instead of exec