inibase 1.0.0-rc.102 → 1.0.0-rc.103

package/dist/file.js

@@ -5,10 +5,10 @@ import { createInterface } from "node:readline";
 import { Transform } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import { createGunzip, createGzip } from "node:zlib";
+import { spawn as spawnSync } from "node:child_process";
 import Inison from "inison";
 import { detectFieldType, isArrayOfObjects, isStringified, isNumber, isObject, } from "./utils.js";
 import { compare, encodeID, exec, gunzip, gzip } from "./utils.server.js";
-import { spawn } from "node:child_process";
 export const lock = async (folderPath, prefix) => {
     let lockFile = null;
     const lockFilePath = join(folderPath, `${prefix ?? ""}.locked`);
@@ -36,6 +36,10 @@ export const write = async (filePath, data) => {
 export const read = async (filePath) => filePath.endsWith(".gz")
     ? (await gunzip(await readFile(filePath, "utf8"))).toString()
     : await readFile(filePath, "utf8");
+// Escaping function to safely handle special characters
+function _escapeDoubleQuotes(arg) {
+    return arg.replace(/(["$`\\])/g, "\\$1"); // Escape double quotes, $, `, and \
+}
 const _pipeline = async (filePath, rl, writeStream, transform) => {
     if (filePath.endsWith(".gz"))
         await pipeline(rl, transform, createGzip(), writeStream);
@@ -194,9 +198,10 @@ export async function get(filePath, lineNumbers, fieldType, fieldChildrenType, s
             }
         }
         else if (lineNumbers == -1) {
+            const escapedFilePath = `"${_escapeDoubleQuotes(filePath)}"`;
             const command = filePath.endsWith(".gz")
-                ? `zcat ${filePath} | sed -n '$p'`
-                : `sed -n '$p' ${filePath}`, foundedLine = (await exec(command)).stdout.trimEnd();
+                ? `zcat ${escapedFilePath} | sed -n '$p'`
+                : `sed -n '$p' ${escapedFilePath}`, foundedLine = (await exec(command)).stdout.trimEnd();
             if (foundedLine)
                 lines[linesCount] = decode(foundedLine, fieldType, fieldChildrenType, secretKey);
         }
@@ -215,9 +220,10 @@ export async function get(filePath, lineNumbers, fieldType, fieldChildrenType, s
                 }
                 return [lines, linesCount];
             }
+            const escapedFilePath = `"${_escapeDoubleQuotes(filePath)}"`;
             const command = filePath.endsWith(".gz")
-                ? `zcat ${filePath} | sed -n '${lineNumbers.join("p;")}p'`
-                : `sed -n '${lineNumbers.join("p;")}p' ${filePath}`, foundedLines = (await exec(command)).stdout.trimEnd().split("\n");
+                ? `zcat "${escapedFilePath}" | sed -n '${lineNumbers.join("p;")}p'`
+                : `sed -n '${lineNumbers.join("p;")}p' "${escapedFilePath}"`, foundedLines = (await exec(command)).stdout.trimEnd().split("\n");
             let index = 0;
             for (const line of foundedLines) {
                 lines[lineNumbers[index]] = decode(line, fieldType, fieldChildrenType, secretKey);
@@ -278,7 +284,7 @@ export const replace = async (filePath, replacements, totalItems) => {
         }
         else {
             return new Promise((resolve) => {
-                const sedProcess = spawn("sed", [
+                const sedProcess = spawnSync("sed", [
                     "-e",
                     `s/.*/${replacements}/`,
                     "-e",
@@ -347,9 +353,10 @@ export const append = async (filePath, data) => {
                 await appendFile(fileTempPath, `${Array.isArray(data) ? data.join("\n") : data}\n`);
             }
             else {
+                const escapedFileTempPath = `"${_escapeDoubleQuotes(fileTempPath)}"`;
                 await exec(`echo $'${(Array.isArray(data) ? data.join("\n") : data)
                     .toString()
-                    .replace(/'/g, "\\'")}' | gzip - >> ${fileTempPath}`);
+                    .replace(/'/g, "\\'")}' | gzip - >> ${escapedFileTempPath}`);
             }
         }
         else
@@ -402,7 +409,10 @@ export const prepend = async (filePath, data) => {
             const fileChildTempPath = filePath.replace(/([^/]+)\/?$/, ".tmp/tmp_$1");
             try {
                 await write(fileChildTempPath, `${Array.isArray(data) ? data.join("\n") : data}\n`);
-                await exec(`cat ${fileChildTempPath} ${filePath} > ${fileTempPath}`);
+                const escapedFilePath = `"${_escapeDoubleQuotes(filePath)}"`;
+                const escapedFileTempPath = `"${_escapeDoubleQuotes(fileTempPath)}"`;
+                const escapedFileChildTempPath = `"${_escapeDoubleQuotes(fileChildTempPath)}"`;
+                await exec(`cat ${escapedFileChildTempPath} ${escapedFilePath} > ${escapedFileTempPath}`);
             }
             catch {
                 return [fileTempPath, null];
@@ -439,9 +449,11 @@ export const remove = async (filePath, linesToDelete) => {
         throw new Error("UNVALID_LINE_NUMBERS");
     const fileTempPath = filePath.replace(/([^/]+)\/?$/, ".tmp/$1");
     try {
+        const escapedFilePath = `"${_escapeDoubleQuotes(filePath)}"`;
+        const escapedFileTempPath = `"${_escapeDoubleQuotes(fileTempPath)}"`;
         const command = filePath.endsWith(".gz")
-            ? `zcat ${filePath} | sed "${linesToDelete.join("d;")}d" | gzip > ${fileTempPath}`
-            : `sed "${linesToDelete.join("d;")}d" ${filePath} > ${fileTempPath}`;
+            ? `zcat ${escapedFilePath} | sed "${linesToDelete.join("d;")}d" | gzip > ${fileTempPath}`
+            : `sed "${linesToDelete.join("d;")}d" ${escapedFilePath} > ${escapedFileTempPath}`;
         await exec(command);
         return [fileTempPath, filePath];
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "inibase",
-  "version": "1.0.0-rc.102",
+  "version": "1.0.0-rc.103",
   "type": "module",
   "author": {
     "name": "Karim Amahtil",
@@ -19,7 +19,7 @@
   },
   "description": "A file-based & memory-efficient, serverless, ACID compliant, relational database management system",
   "engines": {
-    "node": ">=16"
+    "node": ">=22"
   },
   "files": [
     "/dist"