957adfc097
* fix(security): potential arbitary code execution vulnerability sanitize all user input in zenodo uploader fixes a medium-severity security vulnerability first identified by Snyk * style: format * chore: add shebang to zenodo shellscript * ci(codeclimate): configure * style: format * fix(ci): stylelint plugin not working * chore: remove manifest .vscode * fix(ci): bye bye stylelint * fix(ci): correct codeclimate config specify exclude patterns * fix(security): correct zenodo shellscript fail status --------- Co-authored-by: quantum9Innovation <quantum9Innovation@users.noreply.github.com>
37 lines
1 KiB
TypeScript
37 lines
1 KiB
TypeScript
import { execSync } from 'child_process'
|
|
import shellescape from 'shell-escape'
|
|
|
|
const TOKEN = process.env.ZENODO
|
|
const filename = process.argv[2]
|
|
const path = process.argv[3]
|
|
|
|
const run = (cmd: string): string | Buffer => {
|
|
try {
|
|
// sanitize user input before running to prevent arbitrary code execution
|
|
cmd = shellescape(cmd.split(' '))
|
|
const output = execSync(cmd, { stdio: 'pipe' })
|
|
return output
|
|
} catch (error) {
|
|
console.error(`Error executing shell script: ${error}`)
|
|
throw error
|
|
}
|
|
}
|
|
|
|
const out =
|
|
run(`curl --request POST 'https://zenodo.org/api/deposit/depositions?access_token=${TOKEN}' \
|
|
--header 'Content-Type: application/json' \
|
|
--data-raw '{}'
|
|
`)
|
|
const json = JSON.parse(out.toString())
|
|
const doi = json.metadata.prereserve_doi.doi
|
|
const file = json.links.bucket
|
|
|
|
console.log('DOI: ' + doi)
|
|
console.log('File: ' + file)
|
|
|
|
const res = run(
|
|
`curl --upload-file ${path} --request PUT '${file}/${filename}?access_token=${TOKEN}'`
|
|
)
|
|
const resJSON = JSON.parse(res.toString())
|
|
|
|
console.log(resJSON)
|