Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix: unsafe shell command constructed from library input #2455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

fix: unsafe shell command constructed from library input #2455

wants to merge 1 commit into from

Conversation

odaysec
Copy link
Contributor

@odaysec odaysec commented May 15, 2025

mongosh/packages/editor/src/editor.ts

Lines 243 to 246 in e9bfb2b

const proc = spawn(editor, [path.basename(tmpDoc)], {
stdio: 'inherit',
cwd: path.dirname(tmpDoc),
shell: true,

fix the issue should avoid using shell: true and instead pass the command and its arguments as an array to the spawn function. This ensures that the arguments are not interpreted by the shell, mitigating the risk of shell injection. Specifically:

  1. Replace the spawn call with a version that does not use shell: true.
  2. Pass the full path to the editor and the temporary file as separate arguments to spawn.

This approach ensures that the command is executed directly without shell interpretation, making it safe from injection attacks.

@addaleax addaleax mentioned this pull request May 15, 2025
Closed
@addaleax
Copy link
Collaborator

@odaysec It seems you are creating pull requests across multiple GitHub repositories, potentially based on detecting specific patterns in source code automatically. Unfortunately, it also seems that you are not taking into account the circumstances under which the code in question runs, and what its intended behavior would be. I will close this PR and #2454 as they do not appear to be targeting legitimate vulnerabilities in this software.

For the future, please be encouraged to bring up genuine security issues, but be advised that opening PRs across a broad set of repositories automatically without understanding the target source code will generally not help your reputation as a security researcher, and rather will put your PRs at risk of being marked as spam and reported to GitHub.

@addaleax addaleax closed this May 15, 2025
@odaysec odaysec deleted the patch-2 branch May 15, 2025 11:30
@jacopotediosi
Copy link

Things like this make legitimate security researchers look bad. It's a shame.

@addaleax addaleax mentioned this pull request Oct 14, 2025
Closed
@addaleax addaleax added the invalid This doesn't seem right label Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

invalid This doesn't seem right

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@odaysec @addaleax @jacopotediosi
Morty Proxy This is a proxified and sanitized view of the page, visit original site.