Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Trying to get in touch regarding a security issue

See original GitHub issue

Hey there!

I belong to an open source security research community, and a member (@haxatron) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

3reactions

nfischercommented, Jan 7, 2022

Thanks for the report. I believe this is a valid issue in ShellJS, so I’ve created a fix and pushed a release.

The patch for this is https://github.com/shelljs/shelljs/pull/1060. That PR landed on tip-of-tree (master branch), however I also cherrypicked this onto the 0.8-release branch.
This fix was released in 0.8.5. The patch for this bug is the only change between 0.8.4 and 0.8.5.
I’m trying to figure out a nice way to edit the CHANGELOG.md to explain what went into these two versions, but this doesn’t work well with the tool we use to automate changelog generation. I’ll need to think a bit more about how to mix manual edits with autogenerated changelog.
I added a SECURITY.md in https://github.com/shelljs/shelljs/pull/1061. For future reference, the best way to get in contact with me for security issues is with the email address in that page.

If you believe this patch is insufficient, please let me know privately via email and I’ll gladly investigate further.

0reactions

nfischercommented, Jan 10, 2022

The report should be public now. I recommend folks upgrade to ShellJS 0.8.5 to ensure you have the fix.

This bug only impacts the synchronous version of shell.exec(). All other ShellJS methods (including the async usage of shell.exec()) should not be impacted, however it’s of course perfectly safe to update ShellJS anyway.

Top Results From Across the Web

Get help with security issues - Apple Support

Learn about security documentation and resources for developers. Contact Apple Developer Support to request assistance with certificate ...

Respond to security alerts - Google Account Help

Go to your Google Account. On the Security issues found panel, click Secure account. If the activity was you. On the security alert,...

Report a Security Issue - Amazon Customer Service

To report a security vulnerability on Amazon Retail services or products: Submit the details of your findings through the web form, or visit...

How To Spot, Avoid, and Report Tech Support Scams

Real security warnings and messages will never ask you to call a phone number. Online ads and listings in search results pages. Tech...

Get in touch. Contact the government agency to help you with your application status, membership, eligibility, benefits or other concerns related to your ......