RUSTSEC-2024-0446
- Source
- https://rustsec.org/advisories/RUSTSEC-2024-0446
- Import Source
- https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0446.json
- JSON Data
- https://api.osv.dev/v1/vulns/RUSTSEC-2024-0446
- Aliases
- Published
- 2024-07-26T12:00:00Z
- Modified
- 2025-12-22T14:11:50.755632Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Shell expansion in custom commands
- Details
-
Summary
Undocumented and unpredictable shell expansion and/or quoting rules make it easily to accidentally cause shell injection when using custom commands with starship in bash.
Details
I wanted to show the git commit name in my prompt (I use bash), so I added a command:
[custom.git_commit_name] command = 'git show -s --format="%<(25,mtrunc)%s"' style = "italic" when = trueTo my surprise, when I had a commit with backticks in it, the backticks were expanded. e.g.:
touch foo git add foo git commit -m '`ls`'Thankfully I noticed it on my own commit before checking out someone's code whose commit message was
rm -rf /important/stuffThe documentation says:
Command output is printed unescaped to the prompt
Whatever output the command generates is printed unmodified in the prompt. This means if the output contains special sequences that are interpreted by your shell they will be expanded when displayed. These special sequences are shell specific, e.g. you can write a command module that writes bash sequences, e.g. \h, but this module will not work in a fish or zsh shell. Format strings can also contain shell specific prompt sequences, e.g. Bash, Zsh.However, it doesn't specifically mention shell injection with $() and backticks; it just mentions the prompt escape sequences, and the link doesn't suggest any shell injection possibilities either.
Furthermore, I can't even figure out how to properly escape things, because simply changing the command to
command = 'printf %q "$(git show -s --format="%<(25,mtrunc)%s")"'doesn't work, as it's also adding a backslash before spaces. I also tried
use_stdin=falseI'm not 100% sure this qualifies as a vulnerability, but I feel it is not documented well enough to warn unsuspecting users, and it certainly is not documented how to properly quote things, because after 15-30 minutes of trying, I can't figure it out.
I see some past commits about fixing shell injection with $, and it does seem like the problem doesn't exist in build-in modules like git branch.
PoC
Have some custom command which prints out information from a potentially untrusted/unverified source.
[custom.git_commit_name] command = 'git show -s --format="%<(25,mtrunc)%s"' style = "italic" when = trueImpact
People with custom commands, so the scope is limited, and without knowledge of people's commands, it could be hard to target people. The only one I saw in the example custom commands that may be vulnerable is the playerctl one.
- Database specific
{ "license": "CC-BY-4.0" }- References
Affected packages
crates.io / starship
Package
- Name
- starship
- View open source insights on deps.dev
- Purl
- pkg:cargo/starship