From d70d014f70baf5f4c3152f69c88a42a283519f89 Mon Sep 17 00:00:00 2001 From: "huntr.dev | the place to protect open source" Date: Mon, 8 Mar 2021 19:03:16 +0000 Subject: [PATCH] Security Fix for Command Injection - huntr.dev (#10644) * Update getProcessForPort.js * Update getProcessForPort.js Co-authored-by: Zhou Peng Co-authored-by: Dan Abramov --- packages/react-dev-utils/getProcessForPort.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/react-dev-utils/getProcessForPort.js b/packages/react-dev-utils/getProcessForPort.js index 8df45464977..a2e3f7c4a06 100644 --- a/packages/react-dev-utils/getProcessForPort.js +++ b/packages/react-dev-utils/getProcessForPort.js @@ -9,6 +9,7 @@ var chalk = require('chalk'); var execSync = require('child_process').execSync; +var execFileSync = require('child_process').execFileSync; var path = require('path'); var execOptions = { @@ -25,7 +26,7 @@ function isProcessAReactApp(processCommand) { } function getProcessIdOnPort(port) { - return execSync('lsof -i:' + port + ' -P -t -sTCP:LISTEN', execOptions) + return execFileSync('lsof', ['-i:' + port, '-P', '-t', '-sTCP:LISTEN'], execOptions) .split('\n')[0] .trim(); }