sanitizing input and updating test

Makefile

@@ -8,11 +8,11 @@ ifeq ($(findstring /,$(URCHIN)),) # urchin path was NOT passed in.
 		# Add the local npm packages' bin folder to the PATH, so that `make` can find them, when invoked directly.
 		# Note that rather than using `$(npm bin)` the 'node_modules/.bin' path component is hard-coded, so that invocation works even from an environment
 		# where npm is (temporarily) unavailable due to having deactivated an nvm instance loaded into the calling shell in order to avoid interference with tests.
-	export PATH := $(shell printf '%s' "$$PWD/node_modules/.bin:$$PATH")
+	export PATH := $(shell printf '%s' "$$PWD/node_modules/.bin:/Users/narfdre/.nvm/versions/node/v22.1.0/bin:$$PATH")
 		# The list of all supporting utilities, installed with `npm install`.
 	UTILS := $(URCHIN) replace semver
 		# Make sure that all required utilities can be located.
-	UTIL_CHECK := $(or $(shell PATH="$(PATH)" which $(UTILS) >/dev/null && echo 'ok'),$(error Did you forget to run `npm install` after cloning the repo? At least one of the required supporting utilities not found: $(UTILS)))
+	UTIL_CHECK := $(or $(shell PATH="$(PATH)" which $(UTILS) >/dev/null && echo 'ok'),$(error Did you forget to run `npm install` after cloning the repo? At least one of the required supporting utilities not found: $(UTILS), $(PATH)))
 endif
 	# The files that need updating when incrementing the version number.
 VERSIONED_FILES := nvm.sh install.sh README.md package.json

README.md

@@ -530,6 +530,17 @@ NVM_IOJS_ORG_MIRROR=https://iojs.org/dist nvm install iojs-v1.0.3
 
 `nvm use` will not, by default, create a "current" symlink. Set `$NVM_SYMLINK_CURRENT` to "true" to enable this behavior, which is sometimes useful for IDEs. Note that using `nvm` in multiple shell tabs with this environment variable enabled can cause race conditions.
 
+#### Pass Authorization header to mirror
+To pass an Authorization header through to the mirror url, set `$NVM_AUTH_HEADER`
+
+```sh
+export NVM_NODEJS_ORG_MIRROR=https://nodejs.org/dist
+export NVM_AUTH_HEADER="Bearer secret-token"
+nvm install node
+
+NVM_NODEJS_ORG_MIRROR=https://nodejs.org/dist NVM_AUTH_HEADER="Bearer secret-token" nvm install 4.2
+```
+
 ### .nvmrc
 
 You can create a `.nvmrc` file containing a node version number (or any other string that `nvm` understands; see `nvm --help` for details) in the project root directory (or any parent directory).

nvm.sh

@@ -117,16 +117,19 @@ nvm_get_latest() {
 
 nvm_download() {
   if nvm_has "curl"; then
-    local CURL_OPTIONS=()
+    local CURL_COMPRESSED_FLAG=""
+    local CURL_HEADER_FLAG=""
 
     if [ -n "$NVM_AUTH_HEADER" ]; then
-      CURL_OPTIONS+=(--header "$NVM_AUTH_HEADER")
+        sanitized_header=$(nvm_sanitize_auth_header "$NVM_AUTH_HEADER")
+        CURL_HEADER_FLAG="--header \"Authorization: $sanitized_header\""
     fi
 
     if nvm_curl_use_compression; then
-      CURL_OPTIONS+=(--compressed)
+        CURL_COMPRESSED_FLAG="--compressed"
     fi
-    curl -q --fail "${CURL_OPTIONS[@]}" "$@"
+
+    eval "curl -q --fail ${CURL_COMPRESSED_FLAG:-} ${CURL_HEADER_FLAG:-} $@"
   elif nvm_has "wget"; then
     # Emulate curl with wget
     ARGS=$(nvm_echo "$@" | command sed -e 's/--progress-bar /--progress=bar /' \
@@ -147,6 +150,11 @@ nvm_download() {
   fi
 }
 
+nvm_sanitize_auth_header() {
+    # Remove potentially dangerous characters
+    echo "$1" | sed 's/[^a-zA-Z0-9:;_. -]//g'
+}
+
 nvm_has_system_node() {
   [ "$(nvm deactivate >/dev/null 2>&1 && command -v node)" != '' ]
 }

test/fast/Unit tests/nvm_download

@@ -19,7 +19,7 @@ nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/de
 # nvm_download should pass when calling with auth header
 docker pull kennethreitz/httpbin && docker run -d --name httpbin -p 80:80 kennethreitz/httpbin
 sleep 1 # wait for httpbin to start
-NVM_AUTH_HEADER="Authorization: Bearer test-token"
+NVM_AUTH_HEADER="Bearer test-token"
 nvm_download "http://127.0.0.1/bearer" > /dev/null || die "nvm_download unable to send auth header"
 unset NVM_AUTH_HEADER
 docker stop httpbin && docker rm httpbin