Eliminated cmd injection risk from copyToClipboard()

adamlui · adamlui · commit 9cd832cdf4e3 · 2025-04-05T06:18:52.000-07:00
diff --git a/generate-ip/src/cli.js b/generate-ip/src/cli.js
@@ -11,7 +11,7 @@ const pkgName = 'generate-ip',
     // Import LIBS
     const { ipv4, ipv6, mac } = require(__dirname.match(/src/) ? './generate-ip' : './generate-ip.min'),
           fs = require('fs'), path = require('path'),
-          { execSync } = require('child_process') // for --version cmd + cross-platform copying
+          { execSync, execFileSync } = require('child_process') // for --version cmd + cross-platform copying
 
     // Init UI COLORS
     const nc = '\x1b[0m',    // no color
@@ -206,11 +206,11 @@ const pkgName = 'generate-ip',
 
     function copyToClipboard(data) {
         if (process.platform == 'darwin') // macOS
-            execSync(`printf "${data}" | pbcopy`)
+            execFileSync('pbcopy', [], { input: data })
         else if (process.platform == 'linux')
-            execSync(`printf "${data}" | xclip -selection clipboard`)
+            execFileSync('xclip', ['-selection', 'clipboard'], { input: data })
         else if (process.platform == 'win32')
-            execSync(`Set-Clipboard -Value "${data}"`, { shell: 'powershell' })
+            execFileSync('powershell', ['Set-Clipboard', '-Value', data])
     }
 
 })()
diff --git a/generate-pw/src/cli.js b/generate-pw/src/cli.js
@@ -11,7 +11,7 @@ const pkgName = 'generate-pw',
     // Import LIBS
     const { generatePassword } = require(__dirname.match(/src/) ? './generate-pw' : './generate-pw.min'),
           fs = require('fs'), path = require('path'),
-          { execSync } = require('child_process') // for --version cmd + cross-platform copying
+          { execSync, execFileSync } = require('child_process') // for --version cmd + cross-platform copying
 
     // Init UI COLORS
     const nc = '\x1b[0m',    // no color
@@ -231,11 +231,11 @@ const pkgName = 'generate-pw',
     function copyToClipboard(data) {
         data = data.replace(/"/g, '""')
         if (process.platform == 'darwin') // macOS
-            execSync(`printf "${data}" | pbcopy`)
+            execFileSync('pbcopy', [], { input: data })
         else if (process.platform == 'linux')
-            execSync(`printf "${data}" | xclip -selection clipboard`)
+            execFileSync('xclip', ['-selection', 'clipboard'], { input: data })
         else if (process.platform == 'win32')
-            execSync(`Set-Clipboard -Value "${data}"`, { shell: 'powershell' })
+            execFileSync('powershell', ['Set-Clipboard', '-Value', data])
     }
 
 })()
diff --git a/geolocate/src/cli.js b/geolocate/src/cli.js
@@ -11,7 +11,7 @@ const pkgName = '@adamlui/geolocate',
     // Import LIBS
     const geo = require(__dirname.match(/src/) ? './geolocate' : './geolocate.min'),
           fs = require('fs'), path = require('path'),
-          { execSync } = require('child_process') // for --version cmd + cross-platform copying
+          { execSync, execFileSync } = require('child_process') // for --version cmd + cross-platform copying
 
     // Init UI COLORS
     const nc = '\x1b[0m',    // no color
@@ -197,11 +197,11 @@ const pkgName = '@adamlui/geolocate',
     function copyToClipboard(data) {
         data = data.replace(/"/g, '""')
         if (process.platform == 'darwin') // macOS
-            execSync(`printf "${data}" | pbcopy`)
+            execFileSync('pbcopy', [], { input: data })
         else if (process.platform == 'linux')
-            execSync(`printf "${data}" | xclip -selection clipboard`)
+            execFileSync('xclip', ['-selection', 'clipboard'], { input: data })
         else if (process.platform == 'win32')
-            execSync(`Set-Clipboard -Value "${data}"`, { shell: 'powershell' })
+            execFileSync('powershell', ['Set-Clipboard', '-Value', data])
     }
 
 })()
