Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk vulnerability DB reporting command injection vulnerability in ShellJS #810

Closed
webstackdev opened this issue Jan 10, 2018 · 2 comments
Closed

Snyk vulnerability DB reporting command injection vulnerability in ShellJS #810

webstackdev opened this issue Jan 10, 2018 · 2 comments
Labels
exec Issues specific to the shell.exec() API security

Comments

@webstackdev
Copy link

webstackdev commented Jan 10, 2018
edited

Node version (or tell us if you're using electron or some other framework):

8.0.0

ShellJS version (the most recent version/Github branch you see the bug on):

0.7.8

Operating system:

Linux

Description of the bug:

Snyk reports high severity vulnerability in shelljs

Example ShellJS command to reproduce the error:

In a repository with ShellJS as a dependency:

username> snyk test

 High severity vulnerability found on shelljs@0.7.8
- desc: Command Injection
- info: https://snyk.io/vuln/npm:shelljs:20140723
- from: xxx@0.1.0 > shelljs@0.7.8
Fix: None available. Consider removing this dependency.

This is related to issues 143, 495, and PR 524. Wasn't sure if the project was aware that ShellJS will break builds using vulnerability scanning in their CI workflow.
@nfischer
Copy link
Member

Dupe of #766.

Known issue. If you don't use shell.exec(), you have no problem. If you do use shell.exec(), don't pass untrusted user input (or other external values) to the function--string literals are of course the safest option.

As you pointed out, I've been working on this for a bit (#524 is a demo). The goal is to provide a better alternative to exec and then to deprecate it (not sure if this satisfies your CI case, but I'd rather not remove it immediately to reduce migration burden).

@webstackdev
Copy link
Author

webstackdev commented Jan 12, 2018
edited

Thank you for the response, and thanks for your work on the library. Sorry I missed the dup - I searched but didn't see it.

@dependabot-preview dependabot-preview bot mentioned this issue Mar 19, 2018
Closed
@nfischer nfischer mentioned this issue Jun 21, 2019
Closed
nfischer added a commit that referenced this issue Jun 26, 2019
@nfischer
docs(exec): document security concerns
ce0ef4f 
No change to logic.

This adds documentation about `shell.exec()`'s inherent vulnerability to
command injection and links to a more detailed security notice.

Issue #103, #143, #495, #810, #938, #945
@nfischer nfischer mentioned this issue Jun 26, 2019
Merged
@nfischer nfischer added security exec Issues specific to the shell.exec() API labels Jun 26, 2019
nfischer added a commit that referenced this issue Jun 26, 2019
@nfischer
docs(exec): document security concerns
e63899d 
No change to logic.

This adds documentation about `shell.exec()`'s inherent vulnerability to
command injection and links to a more detailed security notice.

Issue #103, #143, #495, #765, #766, #810, #842, #938, #945
nfischer added a commit that referenced this issue Jun 26, 2019
@nfischer
docs(exec): document security concerns (#950)
68c3822 
No change to logic.

This adds documentation about `shell.exec()`'s inherent vulnerability to
command injection and links to a more detailed security notice.

Issue #103, #143, #495, #765, #766, #810, #842, #938, #945
@shelljs shelljs locked as resolved and limited conversation to collaborators Jul 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
exec Issues specific to the shell.exec() API security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nfischer @webstackdev