From e70ebc4c593f0dc897da817ed951f795c5605e3d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20B=C3=BCchele?= <danielbuechele@fb.com>
Date: Tue, 19 Jun 2018 03:51:57 -0700
Subject: [PATCH] check android emulator names

Summary: maliciously named Android emulators could execute arbitrary commands. This checks makes sure the emulator name only has valid characters and puts them in quotes to prevent executing other commands.

Reviewed By: jknoxville

Differential Revision: D8489024

fbshipit-source-id: d91011ceaa8abf0ac53a308089cbdd0b0db03b54
---
 src/chrome/DevicesButton.js | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/chrome/DevicesButton.js b/src/chrome/DevicesButton.js
index cfa2b3222..2b5cfe2c7 100644
--- a/src/chrome/DevicesButton.js
+++ b/src/chrome/DevicesButton.js
@@ -189,10 +189,16 @@ class DevicesButton extends Component<Props, State> {
   }
 
   launchEmulator = (name: string) => {
-    child_process.exec(
-      `$ANDROID_HOME/tools/emulator @${name}`,
-      this.updateEmulatorState,
-    );
+    if (/^[a-zA-Z0-9-_\s]+$/.test(name)) {
+      child_process.exec(
+        `$ANDROID_HOME/tools/emulator -avd "${name}"`,
+        this.updateEmulatorState,
+      );
+    } else {
+      console.error(
+        `Can not launch emulator named ${name}, because it's name contains invalid characters.`,
+      );
+    }
   };
 
   createEmualtor = () => {};