From f74d7475ee1d25fa88afa09be750e6ee6355fb59 Mon Sep 17 00:00:00 2001
From: quactv <51528368+tranquac@users.noreply.github.com>
Date: Sat, 28 Mar 2026 04:19:27 +0700
Subject: [PATCH] fix: prevent argument injection in npm command handler

Signed-off-by: tranquac <tranquac@users.noreply.github.com>
---
 node.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/node.php b/node.php
index b725b9f..39da386 100644
--- a/node.php
+++ b/node.php
@@ -101,7 +101,14 @@ function node_npm($cmd) {
 		echo "Node.js is not yet installed. <a href='?install'>Install it</a>.\n";
 		return;
 	}
-	$cmd = escapeshellcmd(NODE_DIR . "/bin/npm --cache ./.npm -- $cmd");
+	// Whitelist allowed npm subcommands to prevent arbitrary command execution
+	$allowed = array('install', 'uninstall', 'update', 'list', 'ls', 'outdated', 'init', 'version');
+	$parts = explode(' ', trim($cmd), 2);
+	if (!in_array($parts[0], $allowed)) {
+		echo "Error: npm subcommand not allowed.\n";
+		return;
+	}
+	$cmd = NODE_DIR . "/bin/npm --cache ./.npm -- " . escapeshellarg($cmd);
 	echo "Running: $cmd\n";
 	$ret = -1;
 	passthru($cmd, $ret);