You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://github.com/gajus/pg-formatter/blob/master/src/format.js#L112 runs perl with an executablePath which is not properly quoted. If the working-directory name contains spaces or other special characters, they will be interpreted as shell syntax. In the normal case, someone made the mistake of checking out their project to a directory with spaces in a parent path, and this winds up crashing. (This happened to another developer on my team). In the worst case, admittedly an unlikely case given how this library would normally be used but definitely not impossible, this is running in a context where the parent path has an attacker-controlled directory name in it, and this injects arbitrary shell or perl code.
The text was updated successfully, but these errors were encountered:
https://github.com/gajus/pg-formatter/blob/master/src/format.js#L112 runs perl with an
executablePath
which is not properly quoted. If the working-directory name contains spaces or other special characters, they will be interpreted as shell syntax. In the normal case, someone made the mistake of checking out their project to a directory with spaces in a parent path, and this winds up crashing. (This happened to another developer on my team). In the worst case, admittedly an unlikely case given how this library would normally be used but definitely not impossible, this is running in a context where the parent path has an attacker-controlled directory name in it, and this injects arbitrary shell or perl code.The text was updated successfully, but these errors were encountered: