The npm package shell-quote, version 0.0.0, marks an initial release of a utility designed for parsing and quoting shell commands within Node.js environments. This early version, released in May 2012, provides the fundamental functionality for developers to manipulate shell commands programmatically. It offers core methods for taking shell command strings, breaking them down into their individual components (arguments, operators, etc.), and conversely, reconstructing shell command strings from arrays of arguments, correctly handling quoting and escaping to ensure proper interpretation by the shell.
Notably, version 0.0.0 has no declared dependencies, indicating a lightweight implementation relying solely on Node.js's built-in modules. For development and testing, it utilizes tap (version ~0.2.5), a test framework, to ensure the reliability and correctness of the implemented functionalities. Authored by James Halliday (substack), under the MIT license, this base release lays the groundwork for building applications requiring shell command manipulation. The absence of a defined previous stable version suggests this could be the very first release, serving as the basis for all subsequent iterations. Developers find this version interesting because it's a simple tool for handling shell interactions, especially useful where security and correctness of command execution matter.
All the vulnerabilities related to the version 0.0.0 of the package
Potential Command Injection in shell-quote
Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.
The following characters are not escaped properly: >,;,{,}
Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.
const quote = require('shell-quote').quote;
console.log(quote(['a;{echo,test,123,234}']));
// Actual "a;{echo,test,123,234}"
// Expected "a\;\{echo,test,123,234\}"
// Functional Equivalent "a; echo 'test' '123' '1234'"
Update to version 1.6.1 or later.