check android emulator names

Summary: maliciously named Android emulators could execute arbitrary commands. This checks makes sure the emulator name only has valid characters and puts them in quotes to prevent executing other commands. Reviewed By: jknoxville Differential Revision: D8489024 fbshipit-source-id: d91011ceaa8abf0ac53a308089cbdd0b0db03b54
2018-06-19 03:51:57 -07:00
parent 7406af9c3a
commit e70ebc4c59
1 changed files with 10 additions and 4 deletions
--- a/src/chrome/DevicesButton.js
+++ b/src/chrome/DevicesButton.js
@@ -189,10 +189,16 @@ class DevicesButton extends Component<Props, State> {
  }

  launchEmulator = (name: string) => {
-    child_process.exec(
-      `$ANDROID_HOME/tools/emulator @${name}`,
-      this.updateEmulatorState,
-    );
+    if (/^[a-zA-Z0-9-_\s]+$/.test(name)) {
+      child_process.exec(
+        `$ANDROID_HOME/tools/emulator -avd "${name}"`,
+        this.updateEmulatorState,
+      );
+    } else {
+      console.error(
+        `Can not launch emulator named ${name}, because it's name contains invalid characters.`,
+      );
+    }
  };

  createEmualtor = () => {};