NodeJS/shell-quote/0.0.1

Improper Neutralization of Special Elements used in a Command in Shell-quote

The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is [A-z] instead of the correct [A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Potential Command Injection in shell-quote

Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.

Proof of Concept:

The following characters are not escaped properly: >,;,{,}

Bash has a neat but not well known feature known as Bash Brace Expansion, wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.

   const quote = require('shell-quote').quote;
   console.log(quote(['a;{echo,test,123,234}']));
   // Actual                    "a;{echo,test,123,234}"
   // Expected                  "a\;\{echo,test,123,234\}"
   // Functional Equivalent     "a; echo 'test' '123' '1234'"

Recommendation

Update to version 1.6.1 or later.

Potential Command Injection

The npm module shell-quote cannot correctly escape > and < operator used for redirection in shell. I'm wondering if this might be possible vulnerability for many application which depends on shell-quote.

For example:

const quote = require('shell-quote').quote; console.log(quote(['foo>bar']));

will print foo>bar, where foo\>bar is desirable.

This module is downloaded more than 1M times per month and many other modules are depending on this. If an application is escaping command-line args with this module, they might be vulnerable from malicious user input.

For example: ``` var sq = require('../tests/get/shell-quote-1.6.0'); var exec = require('child_process').exec;

var pattern = process.argv[2];

command = sq.quote(['grep', pattern])); exec('cat file | ' + command, function ( err, stdout, stderr) { console.log(command, stdout);
}); ``` will be vulnerable when user input something like pattern = ':</etc/passwd', which causes the content of /etc/passwd to be leaked.

Internally, (Jon Lamendola, Nick Starke, Jacob Waddell) found that the ;, {, and } characters weren't escaped properly either. This allows for full command injection. A malicious user could input 'a;{echo,test,123,234}' to execute echo fully.