Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix: shell command built from environment values #2454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: shell command built from environment values #2454

wants to merge 1 commit into from

Conversation

odaysec
Copy link
Contributor

@odaysec odaysec commented May 15, 2025

mongosh/scripts/generate-authors.ts

Line 18 in 53febd4

`git log --reverse --format='%aN <%aE>' --use-mailmap -- ${packagePath}`,

mongosh/scripts/generate-authors.ts

Line 43 in 53febd4

`lerna list -a --loglevel=error --json`,

To fix the issue, we will replace the use of execSync with a dynamically constructed shell command by using execFileSync. This method allows us to pass the command and its arguments as separate parameters, avoiding interpretation by the shell. Specifically:

  1. Replace the dynamic command string `git log --reverse --format='%aN <%aE>' --use-mailmap -- ${packagePath}` with a static command (git log) and an array of arguments.
  2. Pass packagePath as an argument in the array, ensuring it is treated as a literal value and not interpreted by the shell.

This change will ensure that special characters in packagePath do not alter the behavior of the command.

Dynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.

POC

The following shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.

var cp = require("child_process"),
  path = require("path");
function cleanupTemp() {
  let cmd = "rm -rf " + path.join(__dirname, "temp");
  cp.execSync(cmd); // BAD
}

The shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path. if the absolute path of the temporary directory is /home/username/important project/temp, then the shell command will recursively delete /home/username/important and project/temp, where the latter path gets resolved relative to the working directory of the JavaScript process.

Even worse, although less likely, a malicious user could provide the path /home/username/; cat /etc/passwd #/important project/temp in order to execute the command cat /etc/passwd. To avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:

var cp = require("child_process"),
  path = require("path");
function cleanupTemp() {
  let cmd = "rm",
    args = ["-rf", path.join(__dirname, "temp")];
  cp.execFileSync(cmd, args); // GOOD
}

References

Command Injection
CWE-78
CWE-88

@addaleax
Copy link
Collaborator

@odaysec It seems you are creating pull requests across multiple GitHub repositories, potentially based on detecting specific patterns in source code automatically. Unfortunately, it also seems that you are not taking into account the circumstances under which the code in question runs, and what its intended behavior would be. I will close this PR and #2455 as they do not appear to be targeting legitimate vulnerabilities in this software.

For the future, please be encouraged to bring up genuine security issues, but be advised that opening PRs across a broad set of repositories automatically without understanding the target source code will generally not help your reputation as a security researcher, and rather will put your PRs at risk of being marked as spam and reported to GitHub.

@addaleax addaleax closed this May 15, 2025
@addaleax addaleax mentioned this pull request May 15, 2025
Closed
@odaysec odaysec deleted the patch-1 branch May 15, 2025 11:30
@addaleax addaleax mentioned this pull request Oct 14, 2025
Closed
@addaleax addaleax added the invalid This doesn't seem right label Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

invalid This doesn't seem right

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odaysec @addaleax
Morty Proxy This is a proxified and sanitized view of the page, visit original site.