From abf2e4fc9a6287157290ffdc12456cabf413754e Mon Sep 17 00:00:00 2001 From: Charles Milette Date: Sun, 29 Jun 2025 22:28:40 -0400 Subject: [PATCH 1/4] Handle spaces in ODM_PATH --- helpers/odm_python.bat | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/helpers/odm_python.bat b/helpers/odm_python.bat index 165d6bf..0db93ab 100644 --- a/helpers/odm_python.bat +++ b/helpers/odm_python.bat @@ -2,7 +2,7 @@ setlocal -call %ODM_PATH%\win32env.bat +call "%ODM_PATH%\win32env.bat" python %* -endlocal \ No newline at end of file +endlocal From c244f0797b456beb734e40cb7771b3ae33d896d8 Mon Sep 17 00:00:00 2001 From: Charles Milette Date: Sun, 29 Jun 2025 22:34:19 -0400 Subject: [PATCH 2/4] Sanitize whitespaces in python invocation Avoid shell entirely on *nixes --- libs/odmRunner.js | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/libs/odmRunner.js b/libs/odmRunner.js index 5c06375..5419cfb 100644 --- a/libs/odmRunner.js +++ b/libs/odmRunner.js @@ -122,13 +122,16 @@ module.exports = { return; // Skip rest } - const getOdmOptions = (pythonExe, done) => { + const getOdmOptions = (pythonExe, useShell, done) => { // Launch const env = utils.clone(process.env); env.ODM_OPTIONS_TMP_FILE = utils.tmpPath(".json"); env.ODM_PATH = config.odm_path; - let childProcess = spawn(pythonExe, [path.join(__dirname, "..", "helpers", "odmOptionsToJson.py"), - "--project-path", config.odm_path, "bogusname"], { env, stdio: 'inherit', shell: true }); + const helper = path.join(__dirname, "..", "helpers", "odmOptionsToJson.py"); + const helperSanitized = useShell ? `"${helper}"` : helper; + const odmSanitized = useShell ? `"${config.odm_path}"` : config.odm_path; + let childProcess = spawn(pythonExe, [helperSanitized, + "--project-path", odmSanitized, "bogusname"], { env, stdio: 'inherit', shell: useShell }); // Cleanup on done let handleResult = (err, result) => { @@ -160,11 +163,11 @@ module.exports = { } if (os.platform() === "win32"){ - getOdmOptions("helpers\\odm_python.bat", done); + getOdmOptions("helpers\\odm_python.bat", true, done); }else{ // Try Python3 first - getOdmOptions("python3", (err, result) => { - if (err) getOdmOptions("python", done); + getOdmOptions("python3", false, (err, result) => { + if (err) getOdmOptions("python", false, done); else done(null, result); }); } From 199904679b30c661770fb70a64c44d094e176de4 Mon Sep 17 00:00:00 2001 From: Piero Toffanin Date: Sat, 23 Aug 2025 13:53:49 -0400 Subject: [PATCH 3/4] Revert "Sanitize whitespaces in python invocation" This reverts commit c244f0797b456beb734e40cb7771b3ae33d896d8. --- libs/odmRunner.js | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/libs/odmRunner.js b/libs/odmRunner.js index 5419cfb..5c06375 100644 --- a/libs/odmRunner.js +++ b/libs/odmRunner.js @@ -122,16 +122,13 @@ module.exports = { return; // Skip rest } - const getOdmOptions = (pythonExe, useShell, done) => { + const getOdmOptions = (pythonExe, done) => { // Launch const env = utils.clone(process.env); env.ODM_OPTIONS_TMP_FILE = utils.tmpPath(".json"); env.ODM_PATH = config.odm_path; - const helper = path.join(__dirname, "..", "helpers", "odmOptionsToJson.py"); - const helperSanitized = useShell ? `"${helper}"` : helper; - const odmSanitized = useShell ? `"${config.odm_path}"` : config.odm_path; - let childProcess = spawn(pythonExe, [helperSanitized, - "--project-path", odmSanitized, "bogusname"], { env, stdio: 'inherit', shell: useShell }); + let childProcess = spawn(pythonExe, [path.join(__dirname, "..", "helpers", "odmOptionsToJson.py"), + "--project-path", config.odm_path, "bogusname"], { env, stdio: 'inherit', shell: true }); // Cleanup on done let handleResult = (err, result) => { @@ -163,11 +160,11 @@ module.exports = { } if (os.platform() === "win32"){ - getOdmOptions("helpers\\odm_python.bat", true, done); + getOdmOptions("helpers\\odm_python.bat", done); }else{ // Try Python3 first - getOdmOptions("python3", false, (err, result) => { - if (err) getOdmOptions("python", false, done); + getOdmOptions("python3", (err, result) => { + if (err) getOdmOptions("python", done); else done(null, result); }); } From efb60b33dc1730ebc89d166b6b5a6a7f538bb99f Mon Sep 17 00:00:00 2001 From: Piero Toffanin Date: Sat, 23 Aug 2025 13:57:25 -0400 Subject: [PATCH 4/4] Shell escape config.odm_path --- libs/odmRunner.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libs/odmRunner.js b/libs/odmRunner.js index 5c06375..005c018 100644 --- a/libs/odmRunner.js +++ b/libs/odmRunner.js @@ -127,8 +127,17 @@ module.exports = { const env = utils.clone(process.env); env.ODM_OPTIONS_TMP_FILE = utils.tmpPath(".json"); env.ODM_PATH = config.odm_path; + const shEscape = s => { + if (/[^A-Za-z0-9_\/:=-]/.test(s)) { + s = "'"+s.replace(/'/g,"'\\''")+"'"; + s = s.replace(/^(?:'')+/g, '') + .replace(/\\'''/g, "\\'" ); + } + return s; + } + let childProcess = spawn(pythonExe, [path.join(__dirname, "..", "helpers", "odmOptionsToJson.py"), - "--project-path", config.odm_path, "bogusname"], { env, stdio: 'inherit', shell: true }); + "--project-path", shEscape(`"${config.odm_path}"`), "bogusname"], { env, stdio: 'inherit', shell: true }); // Cleanup on done let handleResult = (err, result) => {