GHSA-j55r-787p-m549

// vulnerable.js import { exec } from "node:child_process"; import { Worker, isMainThread } from 'node:worker_threads'; import * as shescape from "shescape"; if (isMainThread) { // 1. Something like a worker thread must be used. The reason being that they // unexpectedly change environment variable names on Windows. new Worker("./vulnerable.js"); } else { // 2. Example configuration that's problematic. In this setup example the // expected default system shell is CMD. We configure the use of PowerShell. // Shescape will fail to look up PowerShell and default to escaping for CMD // instead, resulting in the vulnerability. const options = { shell: "powershell", interpolation: true, }; // 3. Using shescape to protect against attacks, this is correct. const escaped = shescape.escape("&& ls", options); // 4. Invoking a command with the escaped user input, this is vulnerable in // this case. exec(`echo Hello ${escaped}`, options, (error, stdout) => { if (error) { console.error(`An error occurred: ${error}`); } else { console.log(stdout); } }); }