react-native/local-cli/server/util/launchEditor.js
Shayne Sweeney ab61a1fbac Sanitize lineNumber in launchEditor
Summary:Shelling out on win32 does not properly escape the command due to c3bb4b1aa5/lib/child_

This patch ensures a proper lineNumber before continuing, similar to how we check that the fileName passed exists.

**Test plan**

On platform `win32` or given appropriate testing changes to `launchEditor.js`...

With the following `request-bad` file:
```
GET /open-stack-frame HTTP/1.1
Host: 127.0.0.1:8081
Proxy-Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Content-Length: 64

{"file":"C:\\Windows\\system.ini","lineNumber":"123\" && calc"}
```

`$ nc localhost 8081 < request-bad`

Observe that before this patch `calc` would launch and afte
Closes https://github.com/facebook/react-native/pull/6299

Differential Revision: D3012074

Pulled By: davidaurelio

fb-gh-sync-id: cbc7b6e5c60529a289c0989a95593a322333ba5d
shipit-source-id: cbc7b6e5c60529a289c0989a95593a322333ba5d
2016-03-04 12:07:02 -08:00

157 lines
4.7 KiB
JavaScript

/**
* Copyright (c) 2015-present, Facebook, Inc.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
'use strict';
var chalk = require('chalk');
var fs = require('fs');
var path = require('path');
var child_process = require('child_process');
function isTerminalEditor(editor) {
switch (editor) {
case 'vim':
case 'emacs':
case 'nano':
return true;
}
return false;
}
// Map from full process name to binary that starts the process
// We can't just re-use full process name, because it will spawn a new instance
// of the app every time
var COMMON_EDITORS = {
'/Applications/Atom.app/Contents/MacOS/Atom': 'atom',
'/Applications/Sublime Text.app/Contents/MacOS/Sublime Text':
'/Applications/Sublime Text.app/Contents/SharedSupport/bin/subl',
'/Applications/Sublime Text 2.app/Contents/MacOS/Sublime Text 2':
'/Applications/Sublime Text 2.app/Contents/SharedSupport/bin/subl',
};
function getArgumentsForLineNumber(editor, fileName, lineNumber) {
switch (path.basename(editor)) {
case 'vim':
case 'mvim':
return [fileName, '+' + lineNumber];
case 'atom':
case 'subl':
case 'sublime':
return [fileName + ':' + lineNumber];
case 'joe':
case 'emacs':
case 'emacsclient':
return ['+' + lineNumber, fileName];
case 'rmate':
case 'mate':
case 'mine':
return ['--line', lineNumber, fileName];
}
// For all others, drop the lineNumber until we have
// a mapping above, since providing the lineNumber incorrectly
// can result in errors or confusing behavior.
return [fileName];
}
function guessEditor() {
// Explicit config always wins
if (process.env.REACT_EDITOR) {
return process.env.REACT_EDITOR;
}
// Using `ps x` on OSX we can find out which editor is currently running.
// Potentially we could use similar technique for Windows and Linux
if (process.platform === 'darwin') {
try {
var output = child_process.execSync('ps x').toString();
var processNames = Object.keys(COMMON_EDITORS);
for (var i = 0; i < processNames.length; i++) {
var processName = processNames[i];
if (output.indexOf(processName) !== -1) {
return COMMON_EDITORS[processName];
}
}
} catch(error) {
// Ignore...
}
}
// Last resort, use old skool env vars
return process.env.VISUAL || process.env.EDITOR;
}
function printInstructions(title) {
console.log([
'',
chalk.bgBlue.white.bold(' ' + title + ' '),
' When you see Red Box with stack trace, you can click any ',
' stack frame to jump to the source file. The packager will launch your ',
' editor of choice. It will first look at REACT_EDITOR environment ',
' variable, then at EDITOR. To set it up, you can add something like ',
' export REACT_EDITOR=atom to your ~/.bashrc or ~/.zshrc depending on ',
' which shell you use.',
''
].join('\n'));
}
var _childProcess = null;
function launchEditor(fileName, lineNumber) {
if (!fs.existsSync(fileName)) {
return;
}
// Sanitize lineNumber to prevent malicious use on win32
// via: https://github.com/nodejs/node/blob/c3bb4b1aa5e907d489619fb43d233c3336bfc03d/lib/child_process.js#L333
if (lineNumber && isNaN(lineNumber)) {
return;
}
var editor = guessEditor();
if (!editor) {
printInstructions('PRO TIP');
return;
}
var args = [fileName];
if (lineNumber) {
args = getArgumentsForLineNumber(editor, fileName, lineNumber);
}
console.log('Opening ' + chalk.underline(fileName) + ' with ' + chalk.bold(editor));
if (_childProcess && isTerminalEditor(editor)) {
// There's an existing editor process already and it's attached
// to the terminal, so go kill it. Otherwise two separate editor
// instances attach to the stdin/stdout which gets confusing.
_childProcess.kill('SIGKILL');
}
if (process.platform === 'win32') {
// On Windows, launch the editor in a shell because spawn can only
// launch .exe files.
_childProcess = child_process.spawn('cmd.exe', ['/C', editor].concat(args), {stdio: 'inherit'});
} else {
_childProcess = child_process.spawn(editor, args, {stdio: 'inherit'});
}
_childProcess.on('exit', function(errorCode) {
_childProcess = null;
if (errorCode) {
console.log(chalk.red('Your editor exited with an error!'));
printInstructions('Keep these instructions in mind:');
}
});
_childProcess.on('error', function(error) {
console.log(chalk.red(error.message));
printInstructions('How to fix:');
});
}
module.exports = launchEditor;