@db-ux/core-components 3.0.1 → 3.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { glob } from 'glob';
|
|
2
|
-
import {
|
|
2
|
+
import { execFile } from 'node:child_process';
|
|
3
3
|
import { promisify } from 'node:util';
|
|
4
4
|
|
|
5
5
|
import { dirname } from 'path';
|
|
@@ -8,12 +8,16 @@ import { fileURLToPath } from 'url';
|
|
|
8
8
|
const __filename = fileURLToPath(import.meta.url);
|
|
9
9
|
const __dirname = dirname(__filename).replaceAll('\\', '/');
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
// Security: Using execFile instead of exec to eliminate shell injection risks
|
|
12
|
+
// execFile directly executes the binary without involving a shell
|
|
13
|
+
const execFileAsync = promisify(execFile);
|
|
12
14
|
|
|
13
15
|
const generateFonts = async () => {
|
|
14
16
|
console.log('Generating EU fonts...');
|
|
15
17
|
try {
|
|
16
|
-
|
|
18
|
+
// Security: Using array arguments instead of concatenated string
|
|
19
|
+
// This prevents shell interpretation of special characters
|
|
20
|
+
await execFileAsync('pyftsubset', ['--help']);
|
|
17
21
|
} catch (e) {
|
|
18
22
|
console.warn(
|
|
19
23
|
'You need to install pyftsubset. Check packages/foundations/assets/fonts/README.md for more information.'
|
|
@@ -22,19 +26,28 @@ const generateFonts = async () => {
|
|
|
22
26
|
|
|
23
27
|
try {
|
|
24
28
|
const files = await glob(`${__dirname}/*.ttf`);
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
29
|
+
|
|
30
|
+
for (const file of files) {
|
|
31
|
+
// Security: Validate that the file is within the expected directory
|
|
32
|
+
// and has the expected extension to prevent path traversal attacks
|
|
33
|
+
if (!file.startsWith(__dirname) || !file.endsWith('.ttf')) {
|
|
34
|
+
console.warn(`Skipping potentially unsafe file path: ${file}`);
|
|
35
|
+
continue;
|
|
36
|
+
}
|
|
37
|
+
|
|
38
|
+
// Security: Arguments are passed as separate array elements
|
|
39
|
+
// No shell concatenation means no risk of command injection
|
|
40
|
+
const args = [
|
|
28
41
|
file,
|
|
29
42
|
'--layout-features=*',
|
|
30
43
|
'--flavor=woff2',
|
|
31
44
|
`--unicodes-file=${__dirname}/unicode-eu.txt`,
|
|
32
45
|
`--output-file=${file.replace('.ttf', '-EU.woff2')}`
|
|
33
|
-
]
|
|
34
|
-
);
|
|
46
|
+
];
|
|
35
47
|
|
|
36
|
-
|
|
37
|
-
|
|
48
|
+
// Security: execFile provides better performance and type safety
|
|
49
|
+
// as it doesn't spawn a shell process
|
|
50
|
+
const { stdout, stderr } = await execFileAsync('pyftsubset', args);
|
|
38
51
|
if (stdout) console.log(`stdout: ${stdout}`);
|
|
39
52
|
if (stderr) console.error(`stderr: ${stderr}`);
|
|
40
53
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@db-ux/core-components",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.2",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "",
|
|
6
6
|
"repository": {
|
|
@@ -42,7 +42,7 @@
|
|
|
42
42
|
"start": "nodemon --watch src --watch scripts --watch scripts --ext js,tsx,ts,scss,json --exec \"npm run build\""
|
|
43
43
|
},
|
|
44
44
|
"dependencies": {
|
|
45
|
-
"@db-ux/core-foundations": "3.0.
|
|
45
|
+
"@db-ux/core-foundations": "3.0.2"
|
|
46
46
|
},
|
|
47
47
|
"devDependencies": {
|
|
48
48
|
"@builder.io/eslint-plugin-mitosis": "0.0.17",
|