Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security issue: shelljs

See original GitHub issue

Bug and Security

Problem

Our goal is not to prevent malicious attacks but prevent user problems from normal folder naming. Please make sure the user can have spaces and $ in folder names.

There are different shells that use different escape symbols. I would like to support Windows Terminal, Powershell and (git) bash.

Notes

Escape symbols

*nix uses \
Windows Terminal uses ^

This almost works for *nix but not for Windows paths because the escape symbols are different:

let escapedDirname = __dirname.replace(/(["$])/g, "\\$1");
console.log(__dirname);
console.log(escapedDirname);

let cmd = `npm run --prefix "${escapedDirname}" start`;
console.log(cmd);
require("shelljs").exec(cmd);```

Issue Analytics

State:
Created 4 years ago
Comments:9 (3 by maintainers)

Top GitHub Comments

1reaction

nfischercommented, Jul 9, 2019

Hi, ShellJS maintainer here. Chiming in with a couple thoughts.

I’m not sure, if shelljs will provide an update that will sanitize your input.

We’re not going to sanitize your input for this API. This is an explicit requirement for using shell.exec(). We have recommendations to help you accomplish this.

In our scenario we could get injected by the __dirname parameter to contain executable commands, but is this even possible?

I recommend you err on the side of caution. What if someone installs your project into a folder named /path/to/malicious folder name; rm -rf*/subdir/ (all of which are legal unix filename characters)? Even if you think this is a non-issue because the attacker already has control over the system, the power to mkdir shouldn’t be the power to execute arbitrary code. At the very least, you have a bug if you’re installed in a folder with a space in the name, which is a totally reasonable folder name.

0reactions

fatihicommented, Aug 9, 2019

We just updated the description and changed the goal.

Top Results From Across the Web

shelljs vulnerabilities

version published direct vulnerabilities 0.8.5 6 Jan, 2022 0. C. 0. H. 0. M. 0. L 0.8.4 24 Apr, 2020 0. C. 1. H. 0....

0.8.3 high severity vuln · Issue #945 · shelljs ...

Description of the bug: Received warnings on PM2 that shelljs got tagged for a security vulnerability. WS-2017-3737 More information moderate ...

CVE-2022-0144

This flaw allows an attacker to craft stdout files, which leads to crashing the ShellJS scripts running with privileges. A flaw was found...

Shelljs Project Shelljs : List of security vulnerabilities

Security vulnerabilities of Shelljs Project Shelljs : List of all related CVE security vulnerabilities. CVSS Scores, vulnerability details and links to full ...

shelljs-exec-proxy

Start using shelljs-exec-proxy in your project by running `npm i ... shell.git.commit('-am', 'Fixed issue #1'); shell.git.push('origin', 'master'); ...