This repository has been archived by the owner on Jan 19, 2023. It is now read-only.
Advisory regarding ShellJS #23
Comments
|
Thanks for the note. I think you definitely make a strong argument and I will start "retraction procedures". It may take a day or two for the changes to surface in the public database. |
|
Whoops. Got lost in the shuffle. The change has been approved and should find its way to the public database by sometime tomorrow. Sorry for the delay. |
|
Looks good: https://ossindex.sonatype.org/component/pkg:npm/shelljs Thanks! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
This is not an advisory, but rather I'm contesting an existing advisory (https://ossindex.sonatype.org/vuln/560f37f7-6c1d-4b9c-aad3-34dcfcf218d7).
We have a huge amount of discussion at shelljs/shelljs#945, but in short, we do not consider this to be a vulnerability within the ShellJS module. The
shell.exec()method, due to its API surface, cannot detect the difference between intentional and unintentional globbing or chained commands. Furthermore,shell.exec()does not expose any functionality thatchild_process.exec()does not already expose, and the API surface is identical. Likechild_process.exec(), our explicit expectation is for dependent modules to sanitize their own input accordingly.I would like to request that you consider taking this report down, as for many ShellJS users (who do not use
shell.exec(), or use it safely), it's entirely unactionable. If you're concerned about command injection, I recommend you look at modules which depend on either ShellJS orchild_processand consider reviewing their usage of either.exec()method.The text was updated successfully, but these errors were encountered: