shell-quote@0.0.1

Vulnerabilities

1 via 1 paths

Dependencies

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Command Injection

  • Vulnerable module: shell-quote
  • Introduced through: shell-quote@0.0.1

Detailed paths

  • Introduced through: shell-quote@0.0.1
    Remediation: Upgrade to shell-quote@1.6.1.

Overview

shell-quote is a package used to quote and parse shell commands.

Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.

Proof of Concept

Consider the following poc.js application

var quote = require('shell-quote').quote;
var exec = require('child_process').exec;

var userInput = process.argv[2];

var safeCommand = quote(['echo', userInput]);

exec(safeCommand, function (err, stdout, stderr) {
  console.log(stdout);
});

Running the following command will not only print the character a as expected, but will also run the another command, i.e touch malicious.sh

$ node poc.js 'a;{touch,malicious.sh}'

Remediation

Upgrade shell-quote to version 1.6.1 or higher.

References