From ded35a743daaf05dd46e9c93b769716fa6520fb3 Mon Sep 17 00:00:00 2001
From: ewin <git@ewin.moe>
Date: Thu, 4 Sep 2025 23:07:04 -0400
Subject: [PATCH] fix potential base64 injection

"EOF" is made up of entirely valid base64 characters, it would be bad if the program crashed because we tried to diff a file whose base64 representation contained the string EOF. underscores don't appear in base64 strings
---
 lib/util/diff.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/util/diff.js b/lib/util/diff.js
index c30fa7a..eaa2fc3 100644
--- a/lib/util/diff.js
+++ b/lib/util/diff.js
@@ -27,12 +27,12 @@ export function diff (a, b, page) {
 	// https://stackoverflow.com/a/60221847
 	// use tail to cut off file info lines and re-add with fake filenames/dates
 	// this function is so extra now holy shit
-	execSync(String.raw`bash <<- 'EOF'
+	execSync(String.raw`bash <<- '_EOF_'
 		diff --color=always -u \
 			${labels ? `--label="$(echo '${toBase64(labels[0])}' | base64 -d)" ` : ''}<(echo '${toBase64(a)}' | base64 -d) \
 			${labels ? `--label="$(echo '${toBase64(labels[1])}' | base64 -d)" ` : ''}<(echo '${toBase64(b)}' | base64 -d) \
 		${labels ? `|| true` : `| tail -n +3` /* cut off header if no labels */}
-	EOF`, {
+	_EOF_`, {
 		// display result directly in terminal
 		stdio: 'inherit',
 	});