Harden Network Inspector server binding and adb command execution

src/extension/android/adb.ts

@@ -164,12 +164,12 @@ export class AdbHelper {
     }
 
     public async apiVersion(deviceId: string): Promise<AndroidAPILevel> {
-        const output = await this.executeQuery(deviceId, "shell getprop ro.build.version.sdk");
+        const output = await this.executeQuery(deviceId, ["shell", "getprop", "ro.build.version.sdk"]);
         return parseInt(output, 10);
     }
 
     public reverseAdb(deviceId: string, port: number): Promise<void> {
-        return this.execute(deviceId, `reverse tcp:${port} tcp:${port}`);
+        return this.execute(deviceId, ["reverse", `tcp:${port}`, `tcp:${port}`]);
     }
 
     public showDevMenu(deviceId?: string): Promise<void> {
@@ -237,7 +237,7 @@ export class AdbHelper {
             );
             const isExist = fs.existsSync(localPropertiesSdkPath);
             if (isExist) {
-                return `"${localPropertiesSdkPath}"`;
+                return localPropertiesSdkPath;
             }
             if (logger) {
                 logger.warning(
@@ -253,15 +253,24 @@ export class AdbHelper {
     }
 
     public executeShellCommand(deviceId: string, command: string): Promise<string> {
-        return this.executeQuery(deviceId, `shell "${command}"`);
+        return this.childProcess.execFileToString(this.adbExecutable, [
+            "-s",
+            deviceId,
+            "shell",
+            command,
+        ]);
     }
 
     public installApplicationToEmulator(appPath: string): Promise<string> {
-        return this.childProcess.execToString(`adb install ${appPath}`);
+        return this.childProcess.execFileToString("adb", ["install", appPath]);
     }
 
-    public executeQuery(deviceId: string, command: string): Promise<string> {
-        return this.childProcess.execToString(this.generateCommandForTarget(deviceId, command));
+    public executeQuery(deviceId: string, args: string[]): Promise<string> {
+        return this.childProcess.execFileToString(this.adbExecutable, [
+            "-s",
+            deviceId,
+            ...args,
+        ]);
     }
 
     private parseConnectedTargets(input: string): IDebuggableMobileTarget[] {
@@ -283,12 +292,9 @@ export class AdbHelper {
         return !!id.match(AdbHelper.AndroidSDKEmulatorPattern);
     }
 
-    private execute(deviceId: string, command: string): Promise<void> {
-        return this.commandExecutor.execute(this.generateCommandForTarget(deviceId, command));
-    }
-
-    private generateCommandForTarget(deviceId: string, adbCommand: string): string {
-        return `${this.adbExecutable} -s "${deviceId}" ${adbCommand}`;
+    private execute(deviceId: string, args: string[]): Promise<void> {
+        const command = `${this.adbExecutable} -s "${deviceId}" ${args.join(" ")}`;
+        return this.commandExecutor.execute(command);
     }
 
     private getSdkLocationFromLocalPropertiesFile(

src/extension/android/androidContainerUtility.ts

@@ -104,7 +104,7 @@ async function _pushFile(
     try {
         const pushRes = await adbHelper.executeQuery(
             deviceId,
-            `push ${sourceFilepath} ${tmpFilePath}`,
+            ["push", sourceFilepath, tmpFilePath],
         );
         logger?.debug(pushRes);
         const command = `cp "${tmpFilePath}" "${destFilepath}" && chmod 644 "${destFilepath}"`;
@@ -135,10 +135,13 @@ function validateAppName(app: string): Promise<string> {
 }
 
 function validateFilePath(filePath: string): Promise<string> {
-    if (!filePath.match(/'/)) {
-        return Promise.resolve(filePath);
+    if (!/^[A-Za-z0-9._\/-]+$/.test(filePath)) {
+        return Promise.reject(new Error(`Disallowed filepath characters: ${filePath}`));
     }
-    return Promise.reject(new Error(`Disallowed escaping filepath: ${filePath}`));
+    if (filePath.includes("..")) {
+        return Promise.reject(new Error(`Path traversal not allowed: ${filePath}`));
+    }
+    return Promise.resolve(filePath);
 }
 
 function validateFileContent(content: string): Promise<string> {

src/extension/android/androidPlatform.ts

@@ -226,7 +226,7 @@ export class AndroidPlatform extends GeneralMobilePlatform {
                                     // For physical devices, get model name
                                     const modelResult = await this.adbHelper.executeQuery(
                                         targetId,
-                                        "shell getprop ro.product.model",
+                                        ["shell", "getprop", "ro.product.model"],
                                     );
                                     const model = modelResult.trim();
                                     if (model) {

src/extension/networkInspector/networkInspectorServer.ts

@@ -156,6 +156,7 @@ export class NetworkInspectorServer {
                     : this.untrustedRequestHandler,
                 transport: new RSocketTCPServer({
                     port: port,
+                    host: "127.0.0.1",
                     serverFactory: serverFactory,
                 }),
             });