Fix Command Injection vulnerability

c4p-n1ck · Mar 17, 2021 · a48fd29 · a48fd29
1 parent 723f44d
commit a48fd29
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/lib/find.js b/lib/find.js
@@ -57,7 +57,12 @@ function find (by, value, strict) {
     if (!(by in findBy)) {
       reject(new Error(`do not support find by "${by}"`))
     } else {
-      findBy[by](value, strict).then(resolve, reject)
+      if (by === 'pid' && typeof value !== 'number')
+        reject(new Error(`pid must be a number`))
+      else if (by === 'port' && typeof value !== 'number')
+        reject(new Error(`port must be a number`))
+      else
+        findBy[by](value, strict).then(resolve, reject)
     }
   })
 }