Merge pull request #677 from snyk/fix/downgrade-shescape-version

Fix/downgrade shescape version to 1.7.4 due to 'Unsupported Default Shell Behavior' in  >= 2.0.0

Author: adrobuta

lib/sub-process.ts

@@ -1,4 +1,5 @@
 import * as childProcess from "child_process";
+import { quoteAll } from "shescape";
 
 export { execute, CmdOutput };
 interface CmdOutput {
@@ -12,15 +13,13 @@ function execute(
   options?,
 ): Promise<CmdOutput> {
   const spawnOptions: any = {
-    // Some distributions may not have /bin/bash, which would cause `child_process.spawn` to fail.
-    // By setting `shell: false`, we tell `spawn` to execute the command directly without a shell,
-    // which is more portable.
-    shell: false,
+    shell: true,
     env: { ...process.env },
   };
   if (options && options.cwd) {
     spawnOptions.cwd = options.cwd;
   }
+  args = quoteAll(args, spawnOptions);
 
   // Before spawning an external process, we look if we need to restore the system proxy configuration,
   // which overrides the cli internal proxy configuration.

package-lock.json

@@ -45,6 +45,7 @@
     "mkdirp": "^1.0.4",
     "packageurl-js": "1.2.0",
     "semver": "^7.6.3",
+    "shescape": "^1.7.4",
     "snyk-nodejs-lockfile-parser": "^2.0.0",
     "snyk-poetry-lockfile-parser": "^1.4.0",
     "snyk-resolve-deps": "^4.7.1",

package.json

@@ -1,3 +1,4 @@
+import { quoteAll } from "shescape";
 import { execute } from "../../lib/sub-process";
 
 describe("sub-process", () => {
@@ -31,4 +32,24 @@ describe("sub-process", () => {
     expect(stdout).toContain("NO_PROXY=snyk.com");
     expect(process.env.NO_PROXY).toStrictEqual("example.com");
   });
+
+  describe("quoteAll", () => {
+    const shellOptions = [false, true, "/bin/sh"];
+    if (process.platform !== "win32") {
+      shellOptions.push(
+        "/bin/bash",
+        "/bin/zsh",
+        "/bin/dash",
+        "/bin/ksh",
+        "/bin/csh",
+        "/bin/busybox",
+      );
+    }
+
+    for (const shell of shellOptions) {
+      it(`does not throw when shell is ${shell}`, () => {
+        expect(() => quoteAll(["test"], { shell })).not.toThrow();
+      });
+    }
+  });
 });

test/lib/sub-process.spec.ts

@@ -92,6 +92,23 @@ describe("plugin", () => {
     });
   });
 
+  test("image pulled by tag has version set", async () => {
+    const imageNameAndTag = `nginx:1.19.0`;
+
+    const pluginResult = await plugin.scan({
+      path: imageNameAndTag,
+    });
+
+    const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
+      (fact) => fact.type === "depGraph",
+    )!.data;
+
+    //  image name matches
+    expect(depGraph.rootPkg.name).toEqual("docker-image|nginx");
+    //  version must not be empty
+    expect(depGraph.rootPkg.version).toEqual("1.19.0");
+  });
+
   describe("when scanning a locally loaded image", () => {
     const imageName = "busybox";
     const imageTag = "latest";
@@ -121,23 +138,6 @@ describe("plugin", () => {
     });
   });
 
-  test("image pulled by tag has version set", async () => {
-    const imageNameAndTag = `nginx:1.19.0`;
-
-    const pluginResult = await plugin.scan({
-      path: imageNameAndTag,
-    });
-
-    const depGraph: DepGraph = pluginResult.scanResults[0].facts.find(
-      (fact) => fact.type === "depGraph",
-    )!.data;
-
-    //  image name matches
-    expect(depGraph.rootPkg.name).toEqual("docker-image|nginx");
-    //  version must not be empty
-    expect(depGraph.rootPkg.version).toEqual("1.19.0");
-  });
-
   test("static scan for Identifier type image (nginx:1.19.0)", async () => {
     // This digest resolves to the `1.19.0` tag. We're using the digest to guarantee we always get the correct
     // image, no matter on which platform this test is run on.