sanitizeShellString() improvement

CHANGELOG.md

@@ -77,6 +77,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page.
 
 | Version        | Date           | Comment  |
 | -------------- | -------------- | -------- |
+| 5.6.3          | 2021-03-10     | `sanitizeShellString()` improvement |
 | 5.6.2          | 2021-03-10     | `networkInterfaces()` `cpu()` improvement (win) |
 | 5.6.1          | 2021-03-03     | `get()` fixed issue boolean parameters |
 | 5.6.0          | 2021-03-03     | `cpuTemperature()` added socket and chipset temp (linux) |

docs/history.html

@@ -56,6 +56,11 @@ <h3>Full version history</h3>
                   </tr>
                 </thead>
                 <tbody>
+                  <tr>
+                    <th scope="row">5.6.3</th>
+                    <td>2021-03-14</td>
+                    <td><span class="code">sanitizeShellString()</span> improvements</td>
+                  </tr>
                   <tr>
                     <th scope="row">5.6.2</th>
                     <td>2021-03-10</td>

docs/index.html

@@ -166,11 +166,11 @@
 <body>
   <header class="bg-image-full">
     <div class="top-container">
-      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.3.2</a>
+      <a href="security.html" class="recommendation">Security advisory:<br>Update to v5.6.3</a>
       <img class="logo" src="assets/logo.png">
       <div class="title">systeminformation</div>
       <div class="subtitle"><span id="typed"></span>&nbsp;</div>
-      <div class="version">New Version: <span id="version">5.6.2</span></div>
+      <div class="version">New Version: <span id="version">5.6.3</span></div>
       <button class="btn btn-light" onclick="location.href='https://github.com/sebhildebrandt/systeminformation'">View on Github <i class=" fab fa-github"></i></button>
     </div>
     <div class="down">
@@ -209,7 +209,7 @@
         <div class="title">Downloads last month</div>
       </div>
       <div class="col-xl-4 col-lg-4 col-md-4 col-12">
-        <div class="numbers">395</div>
+        <div class="numbers">397</div>
         <div class="title">Dependents</div>
       </div>
     </div>

docs/security.html

@@ -43,6 +43,23 @@
           <div class="col-12 sectionheader">
             <div class="title">Security Advisories</div>
             <div class="text">
+              <h2>Command Injection Vulnerability</h2>
+              <p><span class="bold">Affected versions:</span>
+                &lt; 5.6.3 and &lt; 4.34.13<br>
+                <span class="bold">Date:</span> 2021-03-14<br>
+                <span class="bold">CVE indentifier</span> -
+              </p>
+
+              <h4>Impact</h4>
+              <p>We had an issue that there was a possibility to perform a potential command injection possibility by passing a manipulated string prototype as a parameter to the following functions. Affected commands: <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span>.</p>
+
+              <h4>Patch</h4>
+              <p>Problem was fixed with additional parameter checking. Please upgrade to version >= 5.6.3 (or >= 4.34.13 if you are using version 4).</p>
+
+              <h4>Workarround</h4>
+              <p>If you cannot upgrade, be sure to check or sanitize parameter strings that are passed to <span class="code">inetLatency()</span>, <span class="code">inetChecksite()</span>, <span class="code">services()</span>, <span class="code">processLoad()</span> (string only)</p>
+              <hr>
+              <br>
               <h2>Insufficient File Scheme Validation</h2>
               <p><span class="bold">Affected versions:</span>
                 &lt; 5.3.2 and &lt; 4.34.12<br>

lib/util.js

@@ -529,10 +529,11 @@ function sanitizeShellString(str, strict = false) {
       s[i] === '\'' ||
       s[i] === '`' ||
       s[i] === '"' ||
-      strict && s[i] === '@' ||
-      strict && s[i] === ' ' ||
-      strict && s[i] == '{' ||
-      strict && s[i] == ')')) {
+      s[i].length > 1 ||
+      (strict && s[i] === '@') ||
+      (strict && s[i] === ' ') ||
+      (strict && s[i] == '{') ||
+      (strict && s[i] == ')'))) {
       result = result + s[i];
     }
   }