0

I am getting this error on my github alerts after updating my project to angular 8.0.3.

It is a vulnerability with no remediation.

No patched version is available.

Shelljs 0.8.3 and before are vulnerable to Command Injection.
Commands can be invoked from shell.exec(),
those commands will include input from external sources,
to be passed as arguments to system executables
and allowing an attacker to inject arbitrary commands.

Does anybody have any information available on this?

mruanova
  • 6,351
  • 6
  • 37
  • 55

2 Answers2

2

I'm the ShellJS maintainer. The details are in this comment, but to summarize:

  • This is not a vulnerability in ShellJS
  • It's possible to misuse shell.exec() or child_process.exec() in an insecure way, so direct dependencies should consult our security guidelines
  • Modules which are transitively using ShellJS should either trust their dependencies to verify correct usage (previous bullet point) or go through their dependency tree to verify these dependencies
    • It's not enough to look for packages using ShellJS because child_process.exec() has the same possibility for misuse (and it's a core node API, so it doesn't show up in package-lock files)

The previous answer says this "may be" a vulnerability, but I've since clarified on the Github thread this is not a vulnerability in our module, and direct dependencies need to make sure they use our module safely and securely.

nfischer
  • 181
  • 3
1

According to this thread, it may be a false alarm. May is the key word. You cannot be passing user input to the shell module. Many people do and then it’s a huge problem. As long as you never pass user input to exec, then you can use GitHub tooling to disable this warning.

Kuba hasn't forgotten Monica
  • 95,931
  • 16
  • 151
  • 313