Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00NHZyLXJ3d2otcDg4aM4AAtaE

Shescape vulnerable to insufficient escaping of whitespace

Impact

This only impacts users that use the escape or escapeAll functions with the interpolation option set to true. Example:

import cp from "node:child_process";
import * as shescape from "shescape";

// 1. Prerequisites
const options = {
  shell: "bash",
  // Or
  shell: "dash",
  // Or
  shell: "powershell.exe",
  // Or
  shell: "zsh",
  // Or
  shell: undefined, // Only if the default shell is one of the affected shells.
};

// 2. Attack (one of multiple)
const payload = "foo #bar";

// 3. Usage
let escapedPayload;
shescape.escape(payload, { interpolation: true });
// Or
shescape.escapeAll(payload, { interpolation: true });

cp.execSync(`echo Hello ${escapedPayload}!`, options);
// _Output depends on the shell being used_

The result is that if an attacker is able to include whitespace in their input they can:

Invoke shell-specific behaviour through shell-specific special characters inserted directly after whitespace.
- Affected shells: Bash, Dash, Zsh, PowerShell
Invoke shell-specific behaviour through shell-specific special characters inserted or appearing after line terminating characters.
- Affected shells: Bash
Invoke arbitrary commands by inserting a line feed character.
- Affected Shells: Bash, Dash, Zsh, PowerShell
Invoke arbitrary commands by inserting a carriage return character.
- Affected Shells: PowerShell

Patches

Behaviour number 1 has been patched in v1.5.7 which you can upgrade to now. No further changes are required.

Behaviour number 2, 3, and 4 have been patched in v1.5.8 which you can upgrade to now. No further changes are required.

Workarounds

The best workaround is to avoid having to use the interpolation: true option - in most cases using an alternative is possible, see the recipes for recommendations.

Alternatively, you can strip all whitespace from user input. Note that this is error prone, for example: for PowerShell this requires stripping '\u0085' which is not included in JavaScript's definition of \s for Regular Expressions.

References

For more information

Comment on:
- For behaviour 1 (PowerShell): https://github.com/ericcornelissen/shescape/pull/322
- For behaviour 1 (Bash, Dash, Zsh): https://github.com/ericcornelissen/shescape/pull/324
- For behaviour 2, 3, 4 (any shell): https://github.com/ericcornelissen/shescape/pull/332
Open an issue at https://github.com/ericcornelissen/shescape/issues (New issue > Question > Get started)
If you're missing CMD from this advisory, see https://github.com/ericcornelissen/shescape/security/advisories/GHSA-jjc5-fp7p-6f8w

Permalink: https://github.com/advisories/GHSA-44vr-rwwj-p88h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NHZyLXJ3d2otcDg4aM4AAtaE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: over 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-44vr-rwwj-p88h, CVE-2022-31180
References:

Repository: https://github.com/ericcornelissen/shescape
Blast Radius: 14.2

Affected Packages

npm:shescape

Dependent packages: 15
Dependent repositories: 28
Downloads: 14,687 last month
Affected Version Ranges: >= 1.4.0, < 1.5.8
Fixed in: 1.5.8
All affected versions: 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.5.8, 1.5.9, 1.5.10, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1