eeymoo/nvm
1
0
Fork 0
mirror of https://github.com/nvm-sh/nvm.git synced 2026-02-04 08:52:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

[Fix] sanitize NVM_AUTH_HEADER in wget path

Browse Source
This commit is contained in:
Sy2n0
2026-01-09 11:30:14 +09:00
committed by Jordan Harband
parent 242d997da5
commit 44e2590cdf
2 changed files with 67 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nvm.sh
View File

@@ -149,7 +149,8 @@ nvm_download() {
") ")
if [ -n "${NVM_AUTH_HEADER:-}" ]; then if [ -n "${NVM_AUTH_HEADER:-}" ]; then
ARGS="${ARGS} --header \"${NVM_AUTH_HEADER}\"" sanitized_header=$(nvm_sanitize_auth_header "${NVM_AUTH_HEADER}")
ARGS="${ARGS} --header \"${sanitized_header}\""
fi fi
# shellcheck disable=SC2086 # shellcheck disable=SC2086
eval wget $ARGS eval wget $ARGS

65
test/fast/Unit tests/security_wget_injection Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/sh
# Security test to verify that NVM_AUTH_HEADER is sanitized in wget path
# This test ensures that command injection attacks are prevented
cleanup () {
unset -f die cleanup
rm -f /tmp/nvm_security_test_file 2>/dev/null || true
}
die () { echo "$@" ; cleanup ; exit 1; }
\. ../../../nvm.sh
set -ex
# Skip test if wget is not available
if ! nvm_has "wget"; then
echo "wget not available, skipping security test"
exit 0
fi
# Test 1: Verify that malicious command injection in NVM_AUTH_HEADER is sanitized
# This should not execute the command, but should sanitize it
MALICIOUS_HEADER="Bearer test-token; touch /tmp/nvm_security_test_file; echo malicious"
NVM_AUTH_HEADER="${MALICIOUS_HEADER}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
# Verify that the malicious file was NOT created (sanitization worked)
if [ -f /tmp/nvm_security_test_file ]; then
die "SECURITY FAILURE: Command injection succeeded! Malicious file was created."
fi
# Test 2: Verify that sanitized header still works for legitimate requests
# The sanitized header should only contain safe characters
SANITIZED=$(nvm_sanitize_auth_header "${MALICIOUS_HEADER}")
# Verify that dangerous characters were removed
case "${SANITIZED}" in
*";"*|*"touch"*|*"/tmp"*)
die "SECURITY FAILURE: Sanitization did not remove dangerous characters properly"
;;
esac
# Test 3: Verify that legitimate header with safe characters still works
LEGITIMATE_HEADER="Bearer test-token-123"
NVM_AUTH_HEADER="${LEGITIMATE_HEADER}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
# Test 4: Test with backticks (command substitution)
MALICIOUS_HEADER2="Bearer \`touch /tmp/nvm_security_test_file\`"
NVM_AUTH_HEADER="${MALICIOUS_HEADER2}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
# Verify that the malicious file was NOT created
if [ -f /tmp/nvm_security_test_file ]; then
die "SECURITY FAILURE: Command injection with backticks succeeded! Malicious file was created."
fi
# Test 5: Test with $(command substitution)
MALICIOUS_HEADER3="Bearer \$(touch /tmp/nvm_security_test_file)"
NVM_AUTH_HEADER="${MALICIOUS_HEADER3}" nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/dev/null 2>&1 || true
# Verify that the malicious file was NOT created
if [ -f /tmp/nvm_security_test_file ]; then
die "SECURITY FAILURE: Command injection with \$() succeeded! Malicious file was created."
fi
cleanup
echo "All security tests passed: Command injection attacks are properly sanitized"