Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: use renameSync instead of mv #8706

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
+11 −22
Draft

fix: use renameSync instead of mv #8706

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c5a72f6
use renameSync instead of mv
beyondkmp Nov 23, 2024
d790230
add changeset
beyondkmp Nov 23, 2024
43213ef
delete bash
beyondkmp Nov 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/olive-chicken-build.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"electron-updater": patch
---

fix: use renameSync instead of mv
4 changes: 2 additions & 2 deletions packages/electron-updater/src/AppImageUpdater.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
import { AllPublishOptions, newError } from "builder-util-runtime"
import { execFileSync } from "child_process"
import { chmod } from "fs-extra"
import { unlinkSync } from "fs"
import { unlinkSync, renameSync } from "fs"
import * as path from "path"
import { DownloadUpdateOptions } from "./AppUpdater"
import { BaseUpdater, InstallOptions } from "./BaseUpdater"
Expand Down Expand Up @@ -93,7 +93,7 @@ export class AppImageUpdater extends BaseUpdater {
destination = path.join(path.dirname(appImageFile), path.basename(options.installerPath))
}

execFileSync("mv", ["-f", options.installerPath, destination])
renameSync(options.installerPath, destination)
Copy link
Collaborator

@mmaietta mmaietta Nov 24, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't seem like it would work due to installerPath being a space-escaped string for piping to the cmd shell. Right?

If the platform is Linux, replace spaces with '\ ' for shell compatibility

electron-builder/packages/electron-updater/src/BaseUpdater.ts

Lines 52 to 60 in 6a6bed4

// Get the installer path, ensuring spaces are escaped on Linux
// 1. Check if downloadedUpdateHelper is not null
// 2. Check if downloadedUpdateHelper.file is not null
// 3. If both checks pass:
// a. If the platform is Linux, replace spaces with '\ ' for shell compatibility
// b. If the platform is not Linux, use the original path
// 4. If any check fails, set installerPath to null
const installerPath =
downloadedUpdateHelper && downloadedUpdateHelper.file ? (process.platform === "linux" ? downloadedUpdateHelper.file.replace(/ /g, "\\ ") : downloadedUpdateHelper.file) : null

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I found that this was the cause, so I changed it to draft.

I don't think it's handled well here - it shouldn't directly add /. Instead, it should be handled by each deb/rpm/pacman separately.

These linux install commands use string concatenation, so if malicious code is added to the name, it could lead to serious security vulnerabilities.

electron-builder/packages/electron-updater/src/PacmanUpdater.ts

Lines 34 to 35 in 6a6bed4

const cmd = ["pacman", "-U", "--noconfirm", options.installerPath]
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`])

if (destination !== appImageFile) {
this.emit("appimage-filename-updated", destination)
}
Expand Down
12 changes: 1 addition & 11 deletions packages/electron-updater/src/BaseUpdater.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,17 +48,7 @@ export abstract class BaseUpdater extends AppUpdater {
}

const downloadedUpdateHelper = this.downloadedUpdateHelper

// Get the installer path, ensuring spaces are escaped on Linux
// 1. Check if downloadedUpdateHelper is not null
// 2. Check if downloadedUpdateHelper.file is not null
// 3. If both checks pass:
// a. If the platform is Linux, replace spaces with '\ ' for shell compatibility
// b. If the platform is not Linux, use the original path
// 4. If any check fails, set installerPath to null
const installerPath =
downloadedUpdateHelper && downloadedUpdateHelper.file ? (process.platform === "linux" ? downloadedUpdateHelper.file.replace(/ /g, "\\ ") : downloadedUpdateHelper.file) : null

const installerPath = downloadedUpdateHelper == null ? null : downloadedUpdateHelper.file
const downloadedFileInfo = downloadedUpdateHelper == null ? null : downloadedUpdateHelper.downloadedFileInfo
if (installerPath == null || downloadedFileInfo == null) {
this.dispatchError(new Error("No valid update available, can't quit and install"))
Expand Down
4 changes: 1 addition & 3 deletions packages/electron-updater/src/DebUpdater.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,8 @@ export class DebUpdater extends BaseUpdater {

protected doInstall(options: InstallOptions): boolean {
const sudo = this.wrapSudo()
// pkexec doesn't want the command to be wrapped in " quotes
const wrapper = /pkexec/i.test(sudo) ? "" : `"`
const cmd = ["dpkg", "-i", options.installerPath, "||", "apt-get", "install", "-f", "-y"]
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`])
this.spawnSyncLog(sudo, cmd)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to double check, was this tested? (Same for pacman and Rpm)

Pretty sure this will fail as my previous project required piping it to bash

Comment on lines 32 to +33
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imo, this way of installing local .deb in 2 steps with dpkg and apt-get install -f can be updated. Apt is now able to install local .deb and depends in a single command if the package argument is an absolute path to a .deb.

You may now do this.spawnSyncLog("sudo", ["apt-get", "install", "-y", options.installerPath]). This will avoid you to pipe commands, or to split it into 2 commands and checking return code.

if (options.isForceRunAfter) {
this.app.relaunch()
}
Expand Down
4 changes: 1 addition & 3 deletions packages/electron-updater/src/PacmanUpdater.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,8 @@ export class PacmanUpdater extends BaseUpdater {

protected doInstall(options: InstallOptions): boolean {
const sudo = this.wrapSudo()
// pkexec doesn't want the command to be wrapped in " quotes
const wrapper = /pkexec/i.test(sudo) ? "" : `"`
const cmd = ["pacman", "-U", "--noconfirm", options.installerPath]
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`])
this.spawnSyncLog(sudo, cmd)
if (options.isForceRunAfter) {
this.app.relaunch()
}
Expand Down
4 changes: 1 addition & 3 deletions packages/electron-updater/src/RpmUpdater.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ export class RpmUpdater extends BaseUpdater {
protected doInstall(options: InstallOptions): boolean {
const upgradePath = options.installerPath
const sudo = this.wrapSudo()
// pkexec doesn't want the command to be wrapped in " quotes
const wrapper = /pkexec/i.test(sudo) ? "" : `"`
const packageManager = this.spawnSyncLog("which zypper")
let cmd: string[]
if (!packageManager) {
Expand All @@ -40,7 +38,7 @@ export class RpmUpdater extends BaseUpdater {
} else {
cmd = [packageManager, "--no-refresh", "install", "--allow-unsigned-rpm", "-y", "-f", upgradePath]
}
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`])
this.spawnSyncLog(sudo, cmd)
if (options.isForceRunAfter) {
this.app.relaunch()
}
Expand Down
Loading