Merge pull request #34 from MaddyGuthridge/maddy-child-process-promise-notes

Add notes about child-process-promise vulnerability

Author: MaddyGuthridge

src/lib/server/git.ts

@@ -88,6 +88,9 @@ export async function runSshKeyscan(url: string) {
     }
   }
 
+  // NOTE: While this is technically vulnerable due to a ReDoS vulnerability in cross-spawn
+  // (dependency of child-process-promise), this code will only be executed by admins, so it should
+  // be ok.
   const process = await spawn('ssh-keyscan', [host], { capture: ['stdout'] });
 
   // console.log(process.stdout);

src/lib/server/keys.ts

@@ -72,6 +72,8 @@ export async function generateKey(): Promise<string> {
   await setLocalConfig(cfg);
 
   // ssh-keygen -t $DEFAULT_KEY_TYPE -f ${defaultPrivateKeyPath()} -N '' -c "Minifolio SSH key"
+  // NOTE: While cross-spawn (dependency of child-process-promise) is technically vulnerable to a
+  // ReDoS attack, this is fine here, since the arguments are controlled by us
   await spawn(
     'ssh-keygen',
     [