From f42f28628b224901c28e91b9cc8151eb9ad94d87 Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 22 May 2020 20:25:08 +0530
Subject: [PATCH 1/3] Buffer() to Buffer.alloc() security issue fix

---
 index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/index.js b/index.js
index 8a11b30..2e719db 100644
--- a/index.js
+++ b/index.js
@@ -92,7 +92,7 @@ exports.request = function (options, callback) {
       , err
       , stderr = ''
       , stdoutlen
-      , stdout = new Buffer(stdoutlen = 0)
+      , stdout = new Buffer.alloc(stdoutlen = 0)
       , encoding
       , complete
       , cleanup

From bc086f5de64f612a2dd2d22403fa5e9625abe02e Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 22 May 2020 20:25:27 +0530
Subject: [PATCH 2/3] added shell-escape module

---
 package.json | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index 467f184..50a4972 100755
--- a/package.json
+++ b/package.json
@@ -1,16 +1,24 @@
-{ "name"          : "curlrequest",
-  "description"   : "A curl wrapper for node",
-  "version"       : "1.0.1",
-  "homepage"      : "https://github.com/node-js-libs/curlrequest",
-  "author"        : "Chris O'Hara <cohara87@gmail.com>",
-  "main"          : "index",
+{
+  "name": "curlrequest",
+  "description": "A curl wrapper for node",
+  "version": "1.0.1",
+  "homepage": "https://github.com/node-js-libs/curlrequest",
+  "author": "Chris O'Hara <cohara87@gmail.com>",
+  "main": "index",
   "repository": {
     "type": "git",
     "url": "http://github.com/node-js-libs/curlrequest.git"
   },
-  "engines": { "node": ">= 0.4.0" },
-  "licenses": [{
-    "type": "MIT",
-    "url": "http://github.com/node-js-libs/curlrequest/raw/master/LICENSE"
-  }]
+  "engines": {
+    "node": ">= 0.4.0"
+  },
+  "licenses": [
+    {
+      "type": "MIT",
+      "url": "http://github.com/node-js-libs/curlrequest/raw/master/LICENSE"
+    }
+  ],
+  "dependencies": {
+    "shell-escape": "^0.2.0"
+  }
 }

From d654ba787db1322adae825abdbfb71dd808a6af4 Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 22 May 2020 20:25:49 +0530
Subject: [PATCH 3/3] fixed command injection

---
 spawn.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spawn.js b/spawn.js
index 134a710..1252e08 100644
--- a/spawn.js
+++ b/spawn.js
@@ -1,4 +1,5 @@
 var child = require('child_process');
+var shellescape = require('shell-escape');
 
 /**
  * Limit the amount of processes that can be spawned per tick.
@@ -13,7 +14,7 @@ var spawned = 0
  */
 
 module.exports = function (cmd, args, options, callback) {
-    var args = Array.prototype.slice.call(arguments);
+    var args = shellescape(Array.prototype.slice.call(arguments));
     if (spawned < max_per_tick) {
         spawned++;
         callback(child.spawn.apply(child, args.slice(0, -1)));