GHSA-44vr-rwwj-p88h

Опубликовано: 15 июл. 2022

Источник: github

Github: Прошло ревью

CVSS3: 9.8

Описание

Shescape vulnerable to insufficient escaping of whitespace

Impact

This only impacts users that use the escape or escapeAll functions with the interpolation option set to true. Example:

import cp from "node:child_process"; import * as shescape from "shescape"; // 1. Prerequisites const options = { shell: "bash", // Or shell: "dash", // Or shell: "powershell.exe", // Or shell: "zsh", // Or shell: undefined, // Only if the default shell is one of the affected shells. }; // 2. Attack (one of multiple) const payload = "foo #bar"; // 3. Usage let escapedPayload; shescape.escape(payload, { interpolation: true }); // Or shescape.escapeAll(payload, { interpolation: true }); cp.execSync(`echo Hello ${escapedPayload}!`, options); // _Output depends on the shell being used_

The result is that if an attacker is able to include whitespace in their input they can:

Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.
- Affected shells: Bash, Dash, Zsh, PowerShell
Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters.
- Affected shells: Bash
Invoke arbitrary commands by inserting a line feed character.
- Affected Shells: Bash, Dash, Zsh, PowerShell
Invoke arbitrary commands by inserting a carriage return character.
- Affected Shells: PowerShell

Patches

Behaviour number 1 has been patched in v1.5.7 which you can upgrade to now. No further changes are required.

Behaviour number 2, 3, and 4 have been patched in v1.5.8 which you can upgrade to now. No further changes are required.

Workarounds

The best workaround is to avoid having to use the interpolation: true option - in most cases using an alternative is possible, see the recipes for recommendations.

Alternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085' which is not included in JavaScript's definition of \s for Regular Expressions.

References

For more information

Comment on:
- For behaviour 1 (PowerShell): https://github.com/ericcornelissen/shescape/pull/322
- For behaviour 1 (Bash, Dash, Zsh): https://github.com/ericcornelissen/shescape/pull/324
- For behaviour 2, 3, 4 (any shell): https://github.com/ericcornelissen/shescape/pull/332
Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
If you're missing CMD from this advisory, see https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w

Ссылки

Пакеты

Наименование

shescape

npm

Затронутые версииВерсия исправления

>= 1.4.0, < 1.5.8

1.5.8

EPSS

Процентиль: 77%

0.0108

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-31180

Дефекты

CWE-74

Связанные уязвимости

CVE-2022-31180

CVSS3: 9.8

nvd

больше 3 лет назад

Shescape is a simple shell escape package for JavaScript. Affected versions were found to have insufficient escaping of white space when interpolating output. This issue only impacts users that use the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. The result is that if an attacker is able to include whitespace in their input they can: 1. Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace. 2. Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters. 3. Invoke arbitrary commands by inserting a line feed character. 4. Invoke arbitrary commands by inserting a carriage return character. Behaviour number 1 has been patched in [v1.5.7] which you can upgrade to now. No further changes are required. Behaviour number 2, 3, and 4 have been patched in [v1.5.8] which you can upgrade to now. No further changes are required. The best wor

EPSS

Процентиль: 77%

0.0108

Низкий

9.8 Critical

CVSS3

CVE ID

CVE-2022-31180

Дефекты

CWE-74