From 3ddf1720bb10d1995bcf36a924805d5349ff8b63 Mon Sep 17 00:00:00 2001
From: Ralf Vogler <ralf.vogler@gmail.com>
Date: Thu, 9 Nov 2023 02:34:17 +0100
Subject: [PATCH] notify: use execFile with arg array instead of exec to avoid
 shell-escape, fixes #239

Also proper fix for https://github.com/vogler/free-games-claimer/pull/167

https://www.npmjs.com/package/shell-escape
https://stackoverflow.com/questions/1779858/how-do-i-escape-a-string-for-a-shell-command-in-node
https://nodejs.org/api/child_process.html#child_processexecfilefile-args-options-callback
---
 notify-test.js |  5 ++++-
 util.js        | 14 ++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/notify-test.js b/notify-test.js
index 9d593c0..b9c293f 100644
--- a/notify-test.js
+++ b/notify-test.js
@@ -1,15 +1,18 @@
 /* eslint-disable no-constant-condition */
 import { delay, html_game_list, notify } from './util.js';
+import { cfg } from './config.js';
 
 const URL_CLAIM = 'https://gaming.amazon.com/home'; // dummy URL
 
+console.debug('NOTIFY:', cfg.notify);
+
 if (true) {
   const notify_games = [
     // { title: 'Kerbal Space Program', status: 'claimed', url: URL_CLAIM },
     // { title: "Shadow Tactics - Aiko's Choice", status: 'claimed', url: URL_CLAIM },
     { title: 'Epistory - Typing Chronicles', status: 'claimed', url: URL_CLAIM },
   ];
-  notify(`epic-games:<br>${html_game_list(notify_games)}`);
+  await notify(`epic-games:<br>${html_game_list(notify_games)}`);
 }
 
 if (false) {
diff --git a/util.js b/util.js
index 16ae806..acd6c0b 100644
--- a/util.js
+++ b/util.js
@@ -85,13 +85,19 @@ export const prompt = o => enquirer.prompt({ name: 'name', type: 'input', messag
 export const confirm = o => prompt({ type: 'confirm', message: 'Continue?', ...o });
 
 // notifications via apprise CLI
-import { exec } from 'child_process';
+import { execFile } from 'child_process';
 import { cfg } from './config.js';
 
 export const notify = html => new Promise((resolve, reject) => {
-  if (!cfg.notify) return resolve();
-  const title = cfg.notify_title ? `-t ${cfg.notify_title}` : '';
-  exec(`apprise ${cfg.notify} -i html '${title}' -b '${html}'`, (error, stdout, stderr) => {
+  if (!cfg.notify) {
+    if (cfg.debug) console.debug('notify: NOTIFY is not set!');
+    return resolve();
+  }
+  // const cmd = `apprise '${cfg.notify}' ${title} -i html -b '${html}'`; // this had problems if e.g. ' was used in arg; could have `npm i shell-escape`, but instead using safer execFile which takes args as array instead of exec which spawned a shell to execute the command
+  const args = [cfg.notify, '-i', 'html', '-b', html];
+  if (cfg.notify_title) args.push(...['-t', cfg.notify_title]);
+  if (cfg.debug) console.debug(`apprise ${args.map(a => `'${a}'`).join(' ')}`); // this also doesn't escape, but it's just for info
+  execFile('apprise', args, (error, stdout, stderr) => {
     if (error) {
       console.log(`error: ${error.message}`);
       if (error.message.includes('command not found')) {