dl-git-repo-safe 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,22 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [1.0.0] - 2026-04-01
+
+### Changed
+- Replaced `git-clone@^0.1.0` with `git-clone-safe@^1.2.0`
+- Updated `require('git-clone')` to `require('git-clone-safe')` in `index.js`
+
+### Security
+- **Fixed CVE-2022-25900**: Command injection vulnerability in `git-clone` package.
+  The original `git-clone` passes unsanitized arguments to the git binary, allowing
+  an attacker to inject arbitrary commands via crafted repository URLs. This fork
+  uses `git-clone-safe` which properly sanitizes all git clone arguments.
+
+### Note
+- This is a fork of [`download-git-repo@3.0.2`](https://gitlab.com/flippidippi/download-git-repo)
+  with the single change of replacing the vulnerable dependency.
+- The API is 100% compatible with the original package — drop-in replacement.

package/LICENSE

@@ -0,0 +1,22 @@
+MIT License
+
+Copyright (c) download-git-repo-safe contributors
+Copyright (c) 2016 flippidippi (original download-git-repo)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,149 @@
+# download-git-repo-safe
+
+> **⚠️ Security Notice**: This is a security-patched fork of [`download-git-repo`](https://gitlab.com/flippidippi/download-git-repo). It replaces the vulnerable `git-clone` dependency with [`git-clone-safe`](https://www.npmjs.com/package/git-clone-safe) to fix **CVE-2022-25900** (command injection via git clone).
+
+Download and extract a git repository (GitHub, GitLab, Bitbucket) from node.
+
+## What Changed?
+
+| | `download-git-repo` (original) | `download-git-repo-safe` (this fork) |
+|---|---|---|
+| `git-clone` | `^0.1.0` (vulnerable) | replaced with `git-clone-safe@^1.2.0` |
+| CVE-2022-25900 | **Affected** | **Fixed** |
+| API | — | **100% compatible** (drop-in replacement) |
+
+### CVE-2022-25900
+
+The original `download-git-repo` depends on `git-clone@^0.1.0`, which is vulnerable to command injection. An attacker can craft a malicious repository URL that executes arbitrary commands on the system. This fork replaces `git-clone` with `git-clone-safe`, which properly sanitizes git clone arguments.
+
+## Migration
+
+Replace `download-git-repo` with `download-git-repo-safe`:
+
+```bash
+npm uninstall download-git-repo
+npm install download-git-repo-safe
+```
+
+Or use npm/yarn overrides to replace it transitively:
+
+```json
+{
+  "overrides": {
+    "download-git-repo": "npm:download-git-repo-safe@^1.0.0"
+  }
+}
+```
+
+No code changes required — the API is identical.
+
+## Installation
+
+    $ npm install download-git-repo-safe
+
+## API
+
+### download(repository, destination, options, callback)
+
+Download a git `repository` to a `destination` folder with `options`, and `callback`.
+
+#### repository
+The shorthand repository string to download the repository from:
+
+- **GitHub** - `github:owner/name` or simply `owner/name`
+- **GitLab** - `gitlab:owner/name`
+- **Bitbucket** - `bitbucket:owner/name`
+
+The `repository` parameter defaults to the `master` branch, but you can specify a branch or tag as a URL fragment like `owner/name#my-branch`.
+In addition to specifying the type of where to download, you can also specify a custom origin like `gitlab:custom.com:owner/name`.
+Custom origin will default to `https` or `git@` for http and clone downloads respectively, unless protocol is specified.
+Feel free to submit an issue or pull request for additional origin options.
+
+In addition to having the shorthand for supported git hosts, you can also hit a repository directly with:
+
+- **Direct** - `direct:url`
+
+This will bypass the shorthand normalizer and pass `url` directly.
+If using `direct` without clone, you must pass the full url to the zip file, including paths to branches if needed.
+If using `direct` with clone, you must pass the full url to the git repo and you can specify a branch like `direct:url#my-branch`.
+
+#### destination
+The file path to download the repository to.
+
+#### options
+An optional options object parameter with download options. Options include:
+
+- `clone` - boolean default `false` - If true use `git clone` instead of an http download. While this can be a bit slower, it does allow private repositories to be used if the appropriate SSH keys are setup.
+- All other options (`proxy`, `headers`, `filter`, etc.) will be passed down accordingly and may override defaults
+    - Additional download options: https://github.com/kevva/download#options
+    - Additional clone options: https://github.com/jaz303/git-clone#clonerepo-targetpath-options-cb
+
+#### callback
+The callback function as `function (err)`.
+
+## Examples
+### Shorthand
+Using http download from Github repository at master.
+```javascript
+var download = require('download-git-repo-safe')
+download('flippidippi/download-git-repo-fixture', 'test/tmp', function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+Using git clone from Bitbucket repository at my-branch.
+```javascript
+download('bitbucket:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { clone: true }, function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+Using http download from GitLab repository with custom origin and token.
+```javascript
+download('gitlab:mygitlab.com:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { headers: { 'PRIVATE-TOKEN': '1234' } }, function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+Using git clone from GitLab repository with custom origin and protocol.
+Note that the repository type (`github`, `gitlab` etc.) is not required if cloning from a custom origin.
+```javascript
+download('https://mygitlab.com:flippidippi/download-git-repo-fixture#my-branch', 'test/tmp', { clone: true }, function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+### Direct
+Using http download from direct url.
+```javascript
+download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture/repository/archive.zip', 'test/tmp', function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+Using git clone from direct url at master.
+```javascript
+download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture.git', 'test/tmp', { clone: true }, function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+Using git clone from direct url at my-branch.
+```javascript
+download('direct:https://gitlab.com/flippidippi/download-git-repo-fixture.git#my-branch', 'test/tmp', { clone: true }, function (err) {
+  console.log(err ? 'Error' : 'Success')
+})
+```
+
+## Verification
+
+To confirm `git-clone-safe` is installed instead of `git-clone`:
+
+```bash
+npm ls git-clone git-clone-safe
+npm audit
+```
+
+## License
+
+MIT

package/index.js

@@ -0,0 +1,167 @@
+var downloadUrl = require('download')
+var gitclone = require('git-clone-safe')
+var rm = require('rimraf').sync
+
+/**
+ * Expose `download`.
+ */
+
+module.exports = download
+
+/**
+ * Download `repo` to `dest` and callback `fn(err)`.
+ *
+ * @param {String} repo
+ * @param {String} dest
+ * @param {Object} opts
+ * @param {Function} fn
+ */
+
+function download (repo, dest, opts, fn) {
+  if (typeof opts === 'function') {
+    fn = opts
+    opts = null
+  }
+  opts = opts || {}
+  var clone = opts.clone || false
+  delete opts.clone
+
+  repo = normalize(repo)
+  var url = repo.url || getUrl(repo, clone)
+
+  if (clone) {
+    var cloneOptions = {
+      checkout: repo.checkout,
+      shallow: repo.checkout === 'master',
+      ...opts
+    }
+    gitclone(url, dest, cloneOptions, function (err) {
+      if (err === undefined) {
+        rm(dest + '/.git')
+        fn()
+      } else {
+        fn(err)
+      }
+    })
+  } else {
+    var downloadOptions = {
+      extract: true,
+      strip: 1,
+      mode: '666',
+      ...opts,
+      headers: {
+        accept: 'application/zip',
+        ...(opts.headers || {})
+      }
+    }
+    downloadUrl(url, dest, downloadOptions)
+      .then(function (data) {
+        fn()
+      })
+      .catch(function (err) {
+        fn(err)
+      })
+  }
+}
+
+/**
+ * Normalize a repo string.
+ *
+ * @param {String} repo
+ * @return {Object}
+ */
+
+function normalize (repo) {
+  var regex = /^(?:(direct):([^#]+)(?:#(.+))?)$/
+  var match = regex.exec(repo)
+
+  if (match) {
+    var url = match[2]
+    var directCheckout = match[3] || 'master'
+
+    return {
+      type: 'direct',
+      url: url,
+      checkout: directCheckout
+    }
+  } else {
+    regex = /^(?:(github|gitlab|bitbucket):)?(?:(.+):)?([^/]+)\/([^#]+)(?:#(.+))?$/
+    match = regex.exec(repo)
+    var type = match[1] || 'github'
+    var origin = match[2] || null
+    var owner = match[3]
+    var name = match[4]
+    var checkout = match[5] || 'master'
+
+    if (origin == null) {
+      if (type === 'github') {
+        origin = 'github.com'
+      } else if (type === 'gitlab') {
+        origin = 'gitlab.com'
+      } else if (type === 'bitbucket') {
+        origin = 'bitbucket.org'
+      }
+    }
+
+    return {
+      type: type,
+      origin: origin,
+      owner: owner,
+      name: name,
+      checkout: checkout
+    }
+  }
+}
+
+/**
+ * Adds protocol to url in none specified
+ *
+ * @param {String} url
+ * @return {String}
+ */
+
+function addProtocol (origin, clone) {
+  if (!/^(f|ht)tps?:\/\//i.test(origin)) {
+    if (clone) {
+      origin = 'git@' + origin
+    } else {
+      origin = 'https://' + origin
+    }
+  }
+
+  return origin
+}
+
+/**
+ * Return a zip or git url for a given `repo`.
+ *
+ * @param {Object} repo
+ * @return {String}
+ */
+
+function getUrl (repo, clone) {
+  var url
+
+  // Get origin with protocol and add trailing slash or colon (for ssh)
+  var origin = addProtocol(repo.origin, clone)
+  if (/^git@/i.test(origin)) {
+    origin = origin + ':'
+  } else {
+    origin = origin + '/'
+  }
+
+  // Build url
+  if (clone) {
+    url = origin + repo.owner + '/' + repo.name + '.git'
+  } else {
+    if (repo.type === 'github') {
+      url = origin + repo.owner + '/' + repo.name + '/archive/' + repo.checkout + '.zip'
+    } else if (repo.type === 'gitlab') {
+      url = origin + repo.owner + '/' + repo.name + '/repository/archive.zip?ref=' + repo.checkout
+    } else if (repo.type === 'bitbucket') {
+      url = origin + repo.owner + '/' + repo.name + '/get/' + repo.checkout + '.zip'
+    }
+  }
+
+  return url
+}

package/package.json

@@ -0,0 +1,47 @@
+{
+  "name": "dl-git-repo-safe",
+  "version": "1.0.0",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/nicolo-ribaudo/download-git-repo-safe.git"
+  },
+  "description": "Download and extract a git repository (GitHub, GitLab, Bitbucket) from node. Security-patched fork with git-clone-safe.",
+  "keywords": [
+    "download",
+    "github",
+    "gitlab",
+    "bitbucket",
+    "repo",
+    "repository",
+    "tar",
+    "extract",
+    "tarball",
+    "security",
+    "cve-2022-25900",
+    "safe"
+  ],
+  "scripts": {
+    "test": "mocha",
+    "lint": "standard --verbose | snazzy",
+    "lint:fix": "standard --verbose --fix | snazzy",
+    "precommit": "npm run lint"
+  },
+  "dependencies": {
+    "download": "^7.1.0",
+    "git-clone-safe": "^1.2.0",
+    "rimraf": "^3.0.0"
+  },
+  "devDependencies": {
+    "fs-readdir-recursive": "^1.1.0",
+    "husky": "^3.0.8",
+    "mocha": "^6.2.1",
+    "snazzy": "^8.0.0",
+    "standard": "^14.3.1"
+  },
+  "standard": {
+    "env": [
+      "mocha"
+    ]
+  }
+}