[CVE-2021-28458] Security Fix for Command Injection - huntr.dev (#117)

Azure · Mar 23, 2021 · 1b8dcfb · 1b8dcfb
1 parent a7b3f55
commit 1b8dcfb
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 3.0.8 - 2021/03/23
+- Fix command injection in core function `execAz()` by replacing `exec()` with `execFile()` - CVE-2021-28458
+
 ## 3.0.7 - 2021/02/23
 - Updated doc comments on all exported members to follow TSDoc for better API reference documentation.
 

diff --git a/lib/login.ts b/lib/login.ts
@@ -3,7 +3,7 @@
 
 import * as adal from "adal-node";
 import * as msRest from "@azure/ms-rest-js";
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { readFileSync } from "fs";
 import { Environment } from "@azure/ms-rest-azure-env";
 import { TokenCredentialsBase } from "./credentials/tokenCredentialsBase";
@@ -951,7 +951,7 @@ export function loginWithAppServiceMSI(options?: MSIAppServiceOptions | Callback
  */
 export async function execAz(cmd: string): Promise<any> {
   return new Promise<any>((resolve, reject) => {
-    exec(`az ${cmd} --out json`, { encoding: "utf8" }, (error, stdout) => {
+    execFile(`az`, [cmd, `--out json`], { encoding: "utf8" }, (error, stdout) => {
       if (error) {
         return reject(error);
       }

diff --git a/package.json b/package.json
@@ -5,7 +5,7 @@
     "email": "azsdkteam@microsoft.com",
     "url": "https://github.com/Azure/ms-rest-nodeauth"
   },
-  "version": "3.0.7",
+  "version": "3.0.8",
   "description": "Azure Authentication library in node.js with type definitions.",
   "keywords": [
     "node",