Skip to content

Commit

Permalink
fix: handling heredoc injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@anibalsolon
anibalsolon committed Dec 20, 2022
1 parent 6bad5c1 commit 66644ad
Showing 1 changed file with 5 additions and 4 deletions.
9 changes: 5 additions & 4 deletions api/controllers/dataset.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1520,16 +1520,17 @@ set -e
authors = authors.map(id=>common.deref_contact(id)).filter(a=>!!a).map(a=>a.fullname||a.email);

//write README and bids/dataset_description.json
let root = "./proj-"+project_id;
script += "mkdir -p "+root+"/bids\n";
script += "cat << '__ENDREADME__' > "+root+"/README\n";
const uniqueHeredoc = Math.random().toString(36).substring(2);
let root = `./proj-${project_id}`;
script += `mkdir -p ${root}/bids\n`;
script += `cat << '__${uniqueHeredoc}__' > ${root}/README\n`;
script += `${p.name}
${config.warehouse.url}/project/${project_id}
${p.desc}`;

script += "\n__ENDREADME__\n";
script += `\n__${uniqueHeredoc}__\n`;

let dataset_description = {
BIDSVersion: "1.0.1",
Expand Down

0 comments on commit 66644ad

Please sign in to comment.