Command Injection Affecting shell-quote package, versions <1.6.1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:shell-quote:20160621
- published 21 Jun 2016
- disclosed 21 Jun 2016
- credit Koki Takahashi, Node Security Team
Introduced: 21 Jun 2016
CVE-2016-10541 Open this link in a new tabHow to fix?
Upgrade shell-quote to version 1.6.1 or higher.
Overview
shell-quote is a package used to quote and parse shell commands.
Affected versions of this package are vulnerable to Command Injection. The quote function does not properly escape the following special characters <, >, ;, {, } , and as a result can be used by an attacker to inject malicious shell commands or leak sensitive information.
Proof of Concept
Consider the following poc.js application
var quote = require('shell-quote').quote;
var exec = require('child_process').exec;
var userInput = process.argv[2];
var safeCommand = quote(['echo', userInput]);
exec(safeCommand, function (err, stdout, stderr) {
console.log(stdout);
});
Running the following command will not only print the character a as expected, but will also run the another command, i.e touch malicious.sh
$ node poc.js 'a;{touch,malicious.sh}'