fix: CVE-2024-21538 by migrating to promisify-child-process #4658 (#4729)

Author: noomorph

detox/local-cli/utils/frameworkUtils.js

@@ -1,13 +1,12 @@
 const os = require('os');
 const path = require('path');
 
-const { spawn } = require('child-process-promise');
 const fs = require('fs-extra');
 
 const detox = require('../../internals');
+const { spawnAndLog } = require('../../src/utils/childProcess');
 const { getFrameworkDirPath, getXCUITestRunnerDirPath } = require('../../src/utils/environment');
 
-
 const frameworkBuildScript = '../../scripts/build_local_framework.ios.sh';
 const xcuitestBuildScript = '../../scripts/build_local_xcuitest.ios.sh';
 
@@ -26,7 +25,7 @@ async function execBuildScript(targetPath, scriptPath, descriptor) {
   const scriptFullPath = path.join(__dirname, scriptPath);
 
   try {
-    await spawn(scriptFullPath, [], { stdio: 'inherit' });
+    await spawnAndLog(scriptFullPath, [], { stdio: 'inherit' });
   } catch (error) {
     detox.log.error(`Error while building ${descriptor}:\n${error}`);
     throw error;

detox/package.json

@@ -64,7 +64,7 @@
     "prettier": "^3.1.1",
     "react-native": "0.76.3",
     "react-native-codegen": "^0.0.8",
-    "typescript": "^5.3.3",
+    "typescript": "~5.3.3",
     "wtfnode": "^0.9.1"
   },
   "dependencies": {
@@ -73,14 +73,14 @@
     "bunyan-debug-stream": "^3.1.0",
     "caf": "^15.0.1",
     "chalk": "^4.0.0",
-    "child-process-promise": "^2.2.0",
     "detox-copilot": "^0.0.27",
     "execa": "^5.1.1",
     "find-up": "^5.0.0",
     "fs-extra": "^11.0.0",
     "funpermaproxy": "^1.1.0",
     "glob": "^8.0.3",
     "ini": "^1.3.4",
+    "promisify-child-process": "^4.1.2",
     "jest-environment-emit": "^1.0.8",
     "json-cycle": "^1.3.0",
     "lodash": "^4.17.11",

detox/src/android/AndroidExpect.test.js

@@ -427,6 +427,18 @@ describe('AndroidExpect', () => {
     });
 
     describe('WebElement Actions', () => {
+      let handle;
+
+      beforeEach(() => {
+        jest.useFakeTimers({ doNotFake: ['clearInterval', 'setInterval'] });
+        handle = setInterval(() => jest.runAllTimers(), 5);
+      });
+
+      afterEach(() => {
+        clearInterval(handle);
+        jest.useRealTimers();
+      });
+
       it('tap', async () => {
         await e.web.element(e.by.web.id('id')).tap();
         await e.web.element(e.by.web.className('className')).tap();

detox/src/devices/allocation/drivers/android/emulator/launchEmulatorProcess.js

@@ -31,23 +31,37 @@ function launchEmulatorProcess(emulatorExec, adb, emulatorLaunchCommand) {
 
   log = log.child({ child_pid: childProcessPromise.childProcess.pid });
 
-  adb.waitForDevice(emulatorLaunchCommand.adbName).then(() => childProcessPromise._cpResolve());
+  // Create a deferred promise that resolves when the device is ready
+  let resolveEmulatorReady;
+  const emulatorReadyPromise = new Promise(resolve => {
+    resolveEmulatorReady = resolve;
+  });
 
-  return childProcessPromise.then(() => true).catch((err) => {
-    detach();
+  // Wait for the device to be ready
+  adb.waitForDevice(emulatorLaunchCommand.adbName).then(() => {
+    resolveEmulatorReady();
+  });
 
-    if (childProcessOutput.includes(`There's another emulator instance running with the current AVD`)) {
-      return false;
-    }
+  // Use Promise.race to resolve with the first one to complete - either the emulator process exits
+  // or the emulator device is ready
+  return Promise.race([childProcessPromise, emulatorReadyPromise])
+    .then(() => true)
+    .catch((err) => {
+      detach();
 
-    log.error({ event: 'SPAWN_FAIL', error: true, err }, err.message);
-    log.error({ event: 'SPAWN_FAIL', stderr: true }, childProcessOutput);
-    throw err;
-  }).then((coldBoot) => {
-    detach();
-    log.debug({ event: 'SPAWN_SUCCESS', stdout: true }, childProcessOutput);
-    return coldBoot;
-  });
+      if (childProcessOutput && childProcessOutput.includes(`There's another emulator instance running with the current AVD`)) {
+        return false;
+      }
+
+      log.error({ event: 'SPAWN_FAIL', error: true, err }, err.message);
+      log.error({ event: 'SPAWN_FAIL', stderr: true }, childProcessOutput);
+      throw err;
+    })
+    .then((coldBoot) => {
+      detach();
+      log.debug({ event: 'SPAWN_SUCCESS', stdout: true }, childProcessOutput);
+      return coldBoot;
+    });
 }
 
 module.exports = { launchEmulatorProcess };

detox/src/devices/common/drivers/android/exec/ADB.js

@@ -375,6 +375,7 @@ class ADB {
       ...this.defaultExecOptions,
       ...spawnOptions,
       capture: ['stdout'],
+      encoding: 'utf8',
     };
     return spawnWithRetriesAndLogs(this.adbBin, _flags, _spawnOptions);
   }

detox/src/devices/common/drivers/android/exec/ADB.test.js

@@ -133,6 +133,7 @@ describe('ADB', () => {
       retries: 3,
       timeout: 60000,
       capture: ['stdout'],
+      encoding: 'utf8',
     };
     await adb.install(deviceId, 'path/to/bin.apk');
 
@@ -248,6 +249,7 @@ describe('ADB', () => {
       retries: 3,
       timeout: 60000,
       capture: ['stdout'],
+      encoding: 'utf8',
     };
     const binaryPath = '/mock-path/filename.mock';
     await adb.install(deviceId, binaryPath);

detox/src/devices/common/drivers/android/exec/BinaryExec.js

@@ -1,7 +1,4 @@
-// @ts-nocheck
-const spawn = require('child-process-promise').spawn;
-
-const exec = require('../../../../../utils/childProcess').execWithRetriesAndLogs;
+const { execAsync, spawnAndLog } = require('../../../../../utils/childProcess');
 
 class ExecCommand {
   toString() {
@@ -27,15 +24,19 @@ class BinaryExec {
   }
 
   async exec(command) {
-    return (await exec(`"${this.binary}" ${command._getArgsString()}`)).stdout;
+    return await execAsync(`"${this.binary}" ${command._getArgsString()}`);
   }
 
   spawn(command, stdout, stderr) {
-    return spawn(this.binary, command._getArgs(), { detached: true, stdio: ['ignore', stdout, stderr] });
+    return spawnAndLog(this.binary, command._getArgs(), {
+      detached: true,
+      encoding: 'utf8',
+      stdio: ['ignore', stdout, stderr]
+    });
   }
 }
 
 module.exports = {
   ExecCommand,
-  BinaryExec,
+  BinaryExec
 };

detox/src/devices/common/drivers/android/exec/BinaryExec.test.js

@@ -1,3 +1,4 @@
+/* eslint-disable node/no-extraneous-require */
 describe('BinaryExec', () => {
   const binaryPath = '/binary/mock';
 
@@ -6,16 +7,11 @@ describe('BinaryExec', () => {
   let binaryExec;
   beforeEach(() => {
     jest.mock('../../../../../utils/childProcess', () => ({
-      execWithRetriesAndLogs: jest.fn().mockResolvedValue({
-        stdout: '',
-      }),
+      execAsync: jest.fn().mockResolvedValue(''),
+      spawnAndLog: jest.fn()
     }));
-    exec = require('../../../../../utils/childProcess').execWithRetriesAndLogs;
-
-    jest.mock('child-process-promise', () => ({
-      spawn: jest.fn()
-    }));
-    spawn = require('child-process-promise').spawn;
+    exec = require('../../../../../utils/childProcess').execAsync;
+    spawn = require('../../../../../utils/childProcess').spawnAndLog;
 
     const { BinaryExec } = require('./BinaryExec');
     binaryExec = new BinaryExec(binaryPath);
@@ -55,17 +51,15 @@ describe('BinaryExec', () => {
       expect(exec).toHaveBeenCalledWith(`"${binaryPath}" -mock -argz`);
     });
 
-    it('should return content of resolved promise\'s stdout', async () => {
-      const execResult = {
-        stdout: 'mock stdout content'
-      };
+    it('should return content of resolved promise', async () => {
+      const execResult = 'mock stdout content';
       exec.mockResolvedValue(execResult);
 
       const { ExecCommand } = require('./BinaryExec');
       const command = new ExecCommand();
       const result = await binaryExec.exec(command);
 
-      expect(result).toEqual(execResult.stdout);
+      expect(result).toEqual(execResult);
     });
   });
 
@@ -87,14 +81,14 @@ describe('BinaryExec', () => {
       expect(spawn).toHaveBeenCalledWith(binaryPath, commandArgs, expect.anything());
     });
 
-    it('should chain-return child-process-promise from spawn', async () => {
-      const childProcessPromise = Promise.resolve('mock result');
-      spawn.mockReturnValue(childProcessPromise);
+    it('should chain-return spawn result', async () => {
+      const spawnResult = Promise.resolve('mock result');
+      spawn.mockReturnValue(spawnResult);
 
       const command = anEmptyCommand();
 
       const result = binaryExec.spawn(command);
-      expect(result).toEqual(childProcessPromise);
+      expect(result).toEqual(spawnResult);
     });
   });
 });

detox/src/devices/runtime/drivers/ios/SimulatorDriver.js

@@ -1,13 +1,14 @@
 // @ts-nocheck
 const path = require('path');
 
-const exec = require('child-process-promise').exec;
 const _ = require('lodash');
 
+
 const temporaryPath = require('../../../../artifacts/utils/temporaryPath');
 const DetoxRuntimeError = require('../../../../errors/DetoxRuntimeError');
 const XCUITestRunner = require('../../../../ios/XCUITestRunner');
 const { assertTraceDescription } = require('../../../../utils/assertArgument');
+const { execAsync } = require('../../../../utils/childProcess');
 const getAbsoluteBinaryPath = require('../../../../utils/getAbsoluteBinaryPath');
 const { actionDescription } = require('../../../../utils/invocationTraceDescriptions');
 const log = require('../../../../utils/logger').child({ cat: 'device' });
@@ -16,7 +17,6 @@ const traceInvocationCall = require('../../../../utils/traceInvocationCall').bin
 
 const IosDriver = require('./IosDriver');
 
-
 /**
  * @typedef SimulatorDriverDeps { DeviceDriverDeps }
  * @property applesimutils { AppleSimUtils }
@@ -69,8 +69,7 @@ class SimulatorDriver extends IosDriver {
   async getBundleIdFromBinary(appPath) {
     appPath = getAbsoluteBinaryPath(appPath);
     try {
-      const result = await exec(`/usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" "${path.join(appPath, 'Info.plist')}"`);
-      const bundleId = _.trim(result.stdout);
+      const bundleId = await execAsync(`/usr/libexec/PlistBuddy -c "Print CFBundleIdentifier" "${path.join(appPath, 'Info.plist')}"`);
       if (_.isEmpty(bundleId)) {
         throw new Error();
       }
@@ -141,7 +140,7 @@ class SimulatorDriver extends IosDriver {
     const xcuitestRunner = new XCUITestRunner({ runtimeDevice: { id: this.getExternalId(), _bundleId } });
     let x = point?.x ?? 100;
     let y = point?.y ?? 100;
-    let _pressDuration = pressDuration ? (pressDuration / 1000) : 1;
+    let _pressDuration = pressDuration ? pressDuration / 1000 : 1;
     const traceDescription = actionDescription.longPress({ x, y }, _pressDuration);
     return this.withAction(xcuitestRunner, 'coordinateLongPress', traceDescription, x.toString(), y.toString(), _pressDuration.toString());
   }
@@ -210,7 +209,7 @@ class SimulatorDriver extends IosDriver {
     await this.emitter.emit('createExternalArtifact', {
       pluginId: 'screenshot',
       artifactName: screenshotName || path.basename(tempPath, '.png'),
-      artifactPath: tempPath,
+      artifactPath: tempPath
     });
 
     return tempPath;
@@ -223,7 +222,7 @@ class SimulatorDriver extends IosDriver {
     await this.emitter.emit('createExternalArtifact', {
       pluginId: 'uiHierarchy',
       artifactName: artifactName,
-      artifactPath: viewHierarchyURL,
+      artifactPath: viewHierarchyURL
     });
 
     return viewHierarchyURL;

detox/src/ios/XCUITestRunner.js

@@ -1,6 +1,5 @@
-const { exec } = require('child-process-promise');
-
 const DetoxRuntimeError = require('../errors/DetoxRuntimeError');
+const { execAsync } = require('../utils/childProcess');
 const environment = require('../utils/environment');
 const log = require('../utils/logger').child({ cat: 'xcuitest-runner' });
 
@@ -37,7 +36,7 @@ class XCUITestRunner {
           `--predicate 'process == "DetoxXCUITestRunner-Runner" && subsystem == "com.wix.DetoxXCUITestRunner.xctrunner"'`);
 
         try {
-            return await exec(`TEST_RUNNER_PARAMS="${base64InvocationParams}" TEST_RUNNER_BUNDLE_ID="${this.runtimeDevice._bundleId}" xcodebuild ${flags.join(' ')}`);
+            return await execAsync(`TEST_RUNNER_PARAMS="${base64InvocationParams}" TEST_RUNNER_BUNDLE_ID="${this.runtimeDevice._bundleId}" xcodebuild ${flags.join(' ')}`);
         } catch (e) {
             const stdout = e.stdout.toString();
             const innerError = this.findInnerError(stdout);

detox/src/ios/XCUITestRunner.test.js

@@ -1,12 +1,12 @@
 const XCUITestRunner = require('./XCUITestRunner');
 
-jest.mock('child-process-promise', () => {
+jest.mock('promisify-child-process', () => {
     return {
         exec: jest.fn(),
     };
 });
 
-const { exec } = jest.requireMock('child-process-promise');
+const { exec } = jest.requireMock('promisify-child-process');
 const environment = jest.requireMock('../utils/environment');
 
 jest.mock('../utils/environment');

detox/src/utils/__snapshots__/assertArgument.test.js.snap

@@ -44,4 +44,4 @@ exports[`assertUndefined should throw for "str" 1`] = `"0 expected to be undefin
 
 exports[`assertUndefined should throw for {"key":"val"} 1`] = `"key expected to be undefined, but got val (string)"`;
 
-exports[`assertUndefined should throw for 1 1`] = `"undefined is not iterable (cannot read property Symbol(Symbol.iterator))"`;
+exports[`assertUndefined should throw for 1 1`] = `"value expected to be undefined, but got 1 (number)"`;

detox/src/utils/assertArgument.js

@@ -1,7 +1,9 @@
+const _ = require('lodash');
+
 const { DetoxInternalError, DetoxRuntimeError } = require('../errors');
 
 function firstEntry(obj) {
-  return Object.entries(obj)[0];
+  return _.entries(obj)[0] || ['value', obj];
 }
 
 function assertType(expectedType) {

detox/src/utils/childProcess/exec.js

@@ -1,13 +1,19 @@
 // @ts-nocheck
-const { exec } = require('child-process-promise');
 const _ = require('lodash');
+const { exec } = require('promisify-child-process');
 
 const DetoxRuntimeError = require('../../errors/DetoxRuntimeError');
 const rootLogger = require('../logger').child({ cat: ['child-process', 'child-process-exec'] });
 const retry = require('../retry');
 
 const execsCounter = require('./opsCounter');
 
+/**
+ * Executes a command with retries and logs
+ * @param {*} bin - command to execute
+ * @param {*} options - options
+ * @returns {Promise<import('promisify-child-process').Output>}
+ */
 async function execWithRetriesAndLogs(bin, options = {}) {
   const {
     retries = 9,