Shell-quote is a valuable npm package designed for developers needing to parse and quote shell commands within their JavaScript environments. Both versions 1.1.0 and 1.2.0 provide the core functionality of quoting and parsing shell commands, essential for applications that interact with shell processes. The description and repository details are consistent across both versions, indicating a stable project structure hosted on GitHub and maintained by James Halliday. Both versions also share the same development dependencies, utilizing 'tap' and 'tape' for testing, suggesting a commitment to code quality. The license remains MIT, allowing for broad usage and modification.
The primary difference between the two versions lies in their release dates. Version 1.2.0 was released shortly after version 1.1.0, indicating a quick follow-up potentially addressing bug fixes, minor feature enhancements, or dependency updates. While the specific changes aren't detailed in the provided metadata, the close proximity of the releases suggests that upgrading from 1.1.0 to 1.2.0 would likely be a low-risk endeavor, and potentially beneficial for stability and performance. Developers should consult the package's changelog for a comprehensive list of modifications made. Given the utility of shell-quote for handling shell interactions, it remains a helpful tool for developers building command-line interfaces or programs that need to execute shell commands programmatically within Node.js.
All the vulnerabilities related to the version 1.2.0 of the package
Potential Command Injection in shell-quote
Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.
The following characters are not escaped properly: >,;,{,}
Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.
const quote = require('shell-quote').quote;
console.log(quote(['a;{echo,test,123,234}']));
// Actual "a;{echo,test,123,234}"
// Expected "a\;\{echo,test,123,234\}"
// Functional Equivalent "a; echo 'test' '123' '1234'"
Update to version 1.6.1 or later.