You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jan 19, 2023. It is now read-only.
We have a huge amount of discussion at shelljs/shelljs#945, but in short, we do not consider this to be a vulnerability within the ShellJS module. The shell.exec() method, due to its API surface, cannot detect the difference between intentional and unintentional globbing or chained commands. Furthermore, shell.exec() does not expose any functionality that child_process.exec() does not already expose, and the API surface is identical. Like child_process.exec(), our explicit expectation is for dependent modules to sanitize their own input accordingly.
I would like to request that you consider taking this report down, as for many ShellJS users (who do not use shell.exec(), or use it safely), it's entirely unactionable. If you're concerned about command injection, I recommend you look at modules which depend on either ShellJS or child_process and consider reviewing their usage of either .exec() method.
The text was updated successfully, but these errors were encountered:
Thanks for the note. I think you definitely make a strong argument and I will start "retraction procedures". It may take a day or two for the changes to surface in the public database.
Whoops. Got lost in the shuffle. The change has been approved and should find its way to the public database by sometime tomorrow. Sorry for the delay.
This is not an advisory, but rather I'm contesting an existing advisory (https://ossindex.sonatype.org/vuln/560f37f7-6c1d-4b9c-aad3-34dcfcf218d7).
We have a huge amount of discussion at shelljs/shelljs#945, but in short, we do not consider this to be a vulnerability within the ShellJS module. The
shell.exec()
method, due to its API surface, cannot detect the difference between intentional and unintentional globbing or chained commands. Furthermore,shell.exec()
does not expose any functionality thatchild_process.exec()
does not already expose, and the API surface is identical. Likechild_process.exec()
, our explicit expectation is for dependent modules to sanitize their own input accordingly.I would like to request that you consider taking this report down, as for many ShellJS users (who do not use
shell.exec()
, or use it safely), it's entirely unactionable. If you're concerned about command injection, I recommend you look at modules which depend on either ShellJS orchild_process
and consider reviewing their usage of either.exec()
method.The text was updated successfully, but these errors were encountered: