Fix issue where commands could be injected running on Cocoapods projects

Thanks to Joern SchneeweiszStaff Security Engineer, Security Research | GitLab for raising the issue
pivotal · May 17, 2021 · b0a61a2 · b0a61a2
1 parent c1f04fc
commit b0a61a2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/license_finder/package_managers/cocoa_pods.rb b/lib/license_finder/package_managers/cocoa_pods.rb
@@ -53,7 +53,7 @@ def acknowledgements_path
     end
 
     def read_plist(pathname)
-      JSON.parse(`plutil -convert json -o - '#{pathname}'`)
+      JSON.parse(`plutil -convert json -o - '#{pathname.gsub!(/[^0-9A-Za-z.\-]/, '')}'`)
     end
   end
 end