Fix arbitrary command injection, CWE-264

Logikgate · Logikgate · commit 99b23e61c791 · 2018-05-14T17:43:58.000-04:00
diff --git a/lib/linux.js b/lib/linux.js
@@ -1,11 +1,11 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("cat /sys/class/net/" + iface + "/address", function (err, out) {
+    execFile("cat", ["/sys/class/net/", iface, "/address"], function (err, out) {
         if (err) {
             callback(err, null);
             return;
         }
         callback(null, out.trim().toLowerCase());
     });
-};
+};
diff --git a/lib/macosx.js b/lib/macosx.js
@@ -1,7 +1,7 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("networksetup -getmacaddress " + iface, function (err, out) {
+    execFile("networksetup", ["-getmacaddress", iface], function (err, out) {
         if (err) {
             callback(err, null);
             return;
diff --git a/lib/unix.js b/lib/unix.js
@@ -1,7 +1,7 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 module.exports = function (iface, callback) {
-    exec("ifconfig " + iface, function (err, out) {
+    execFile("ifconfig", [iface], function (err, out) {
         if (err) {
             callback(err, null);
             return;
diff --git a/lib/windows.js b/lib/windows.js
@@ -1,4 +1,4 @@
-var exec = require('child_process').exec;
+var execFile = require('child_process').execFile;
 
 var regexRegex = /[-\/\\^$*+?.()|[\]{}]/g;
 
@@ -7,7 +7,7 @@ function escape(string) {
 }
 
 module.exports = function (iface, callback) {
-    exec("ipconfig /all", function (err, out) {
+    execFile("ipconfig", ["/all"], function (err, out) {
         if (err) {
             callback(err, null);
             return;
