Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix command injection vulnerability
@ronomon/opened was vulnerable to a command injection vulnerability that would allow a remote attacker to execute commands on the system if the library was used with untrusted input. The root cause of the problem was line 87 in index.js which took potential untrusted input as part of a string executed as a command by `child_process.exec()`. While the arguments were escaped by @ronomon/opened, an attacker could still bypass this sanitization because `child_process.exec()` will also interpret the string as a shell command. This fix moves to `execFile` to spawn the binary with separate arguments that will not also be interpreted as shell commands. Thanks to Fábio Freitas, a security analyst at Checkmarx's CxSCA group, for discovering and disclosing the vulnerability, providing clear steps to reproduce and suggestions for mitigation.
- Loading branch information