From 7fe7e94fbd5c9a173602c0498814cb5d93195412 Mon Sep 17 00:00:00 2001
From: Kamil Skrzypinski <kamil.skrzypinski@gmail.com>
Date: Sun, 26 Feb 2023 20:10:25 +0100
Subject: [PATCH 1/2] Mitigate CVE-2023-23596 by changing child_process.exec to
 child_process.execFile

---
 backend/internal/access-list.js |  2 +-
 backend/lib/utils.js            | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/backend/internal/access-list.js b/backend/internal/access-list.js
index 083bfa62..e34efa2f 100644
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@@ -507,7 +507,7 @@ const internalAccessList = {
 								if (typeof item.password !== 'undefined' && item.password.length) {
 									logger.info('Adding: ' + item.username);
 
-									utils.exec('/usr/bin/htpasswd -b "' + htpasswd_file + '" "' + item.username + '" "' + item.password + '"')
+									utils.execFile('/usr/bin/htpasswd',['-b', htpasswd_file, item.username, item.password])
 										.then((/*result*/) => {
 											next();
 										})
diff --git a/backend/lib/utils.js b/backend/lib/utils.js
index 4c8b62a8..15142e84 100644
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -1,4 +1,5 @@
 const exec = require('child_process').exec;
+const execFile = require('child_process').execFile;
 
 module.exports = {
 
@@ -16,5 +17,21 @@ module.exports = {
 				}
 			});
 		});
+	},
+
+	/**
+	 * @param   {Array} cmd
+	 * @returns {Promise}
+	 */
+	execFile: function (cmd) {
+		return new Promise((resolve, reject) => {
+			execFile(cmd, function (err, stdout, /*stderr*/) {
+				if (err && typeof err === 'object') {
+					reject(err);
+				} else {
+					resolve(stdout.trim());
+				}
+			});
+		});
 	}
 };

From 2ff66ee238f2473d640e6c10737498d11e6eed9e Mon Sep 17 00:00:00 2001
From: Kamil Skrzypinski <kamil.skrzypinski@gmail.com>
Date: Tue, 7 Mar 2023 17:15:03 +0100
Subject: [PATCH 2/2] Add style required by linter

---
 backend/internal/access-list.js | 2 +-
 backend/lib/utils.js            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/internal/access-list.js b/backend/internal/access-list.js
index e34efa2f..eb039cbc 100644
--- a/backend/internal/access-list.js
+++ b/backend/internal/access-list.js
@@ -507,7 +507,7 @@ const internalAccessList = {
 								if (typeof item.password !== 'undefined' && item.password.length) {
 									logger.info('Adding: ' + item.username);
 
-									utils.execFile('/usr/bin/htpasswd',['-b', htpasswd_file, item.username, item.password])
+									utils.execFile('/usr/bin/htpasswd', ['-b', htpasswd_file, item.username, item.password])
 										.then((/*result*/) => {
 											next();
 										})
diff --git a/backend/lib/utils.js b/backend/lib/utils.js
index 15142e84..ead5b170 100644
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -1,4 +1,4 @@
-const exec = require('child_process').exec;
+const exec     = require('child_process').exec;
 const execFile = require('child_process').execFile;
 
 module.exports = {