Fixed Command Injection Security Issue

[realgam3]

After finding command injection vulnerability in the code,
I made a new package to fix this issue...

About Command Injection: https://www.owasp.org/index.php/Command_Injection

Vulnerable Code example:

var ws = require('windows-shortcuts');  

var payload = "calc.exe";
var link_path = '%USERPROFILE%/Desktop/';  
var appName = 'Facebook" && ' + payload + ' && echo "';  
var icon_path = '%WINDIR%/notepad.exe';  

ws.create(link_path + appName + ".lnk", {    
    icon: icon_path  
});  

This code will run calc.exe while creating the shortcut.

You can double check my code to be sure the it didn't break the functionality.

[j201]

Sorry I haven't gotten back to you on this. I've been out of the loop on my github repos recently, but I hope to get back to you on this soon.

As far as injection security goes, my original use cases for this were more for automation utilities that wouldn't take untrusted input. But I agree that it makes sense for it to handle untrusted input.

For a security application such as this, I would generally prefer a module that's seen more real world use. I don't want to pass judgement on node-php-escape-shell itself, I would just feel more comfortable with a more tested package. I'd also like to look at the code and API first to see if the vulnerability can be avoided without explicit escaping.

(Also, at this point, I agree that package.json should use 2 spaces. I was hoping for it to be configurable, or at least use tabs so users could choose their own indents, but isaacs seems to be of the opinion that npm isn't responsible for its JSON, even though --save and --save-dev have become part of many npm workflows. Oh well.)