watson/umami
1
0
Fork 0
mirror of https://github.com/umami-software/umami.git synced 2026-02-13 00:55:37 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: replace execSync with execFileSync for security and validate semver versions

Browse source
This commit is contained in:
Ritik Sahni 2025-11-13 12:51:06 +05:30
parent f20a3ec391
commit 0c424649a3
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/app/api/admin/status/route.ts
View file

@ -3,7 +3,7 @@ import { json, unauthorized } from '@/lib/response';
import { canViewUsers } from '@/permissions'; import { canViewUsers } from '@/permissions';
import prisma from '@/lib/prisma'; import prisma from '@/lib/prisma';
import { CURRENT_VERSION, UPDATES_URL } from '@/lib/constants'; import { CURRENT_VERSION, UPDATES_URL } from '@/lib/constants';
import { execSync } from 'node:child_process'; import { execFileSync } from 'node:child_process';
import { existsSync } from 'node:fs'; import { existsSync } from 'node:fs';
import { join } from 'node:path'; import { join } from 'node:path';
import { statfs } from 'node:fs/promises'; import { statfs } from 'node:fs/promises';
@ -76,7 +76,7 @@ async function checkStorage(): Promise<StorageStatus> {
if (dbUrl.hostname === 'localhost' || dbUrl.hostname === '127.0.0.1') { if (dbUrl.hostname === 'localhost' || dbUrl.hostname === '127.0.0.1') {
// Try to get PostgreSQL data directory // Try to get PostgreSQL data directory
try { try {
const pgDataDir = execSync('pg_config --sharedir', { encoding: 'utf-8', stdio: 'pipe' }).trim(); const pgDataDir = execFileSync('pg_config', ['--sharedir'], { encoding: 'utf-8', stdio: 'pipe' }).trim();
path = join(pgDataDir, '../data'); path = join(pgDataDir, '../data');
} catch { } catch {
// Fallback to current directory // Fallback to current directory
@ -109,7 +109,7 @@ async function checkStorage(): Promise<StorageStatus> {
} catch { } catch {
// Fallback: Try to use df command on Unix systems // Fallback: Try to use df command on Unix systems
try { try {
const dfOutput = execSync(`df -k "${path}"`, { encoding: 'utf-8', stdio: 'pipe' }); const dfOutput = execFileSync('df', ['-k', path], { encoding: 'utf-8', stdio: 'pipe' });
const lines = dfOutput.trim().split('\n'); const lines = dfOutput.trim().split('\n');
if (lines.length > 1) { if (lines.length > 1) {
const parts = lines[1].split(/\s+/); const parts = lines[1].split(/\s+/);
@ -190,7 +190,7 @@ async function checkUpdates(): Promise<UpdateStatus> {
} }
// Use semver for proper version comparison // Use semver for proper version comparison
const updateAvailable = semver.gt(latest, current); const updateAvailable = semver.valid(latest) && semver.valid(current) ? semver.gt(latest, current) : false;
return { return {
current, current,