Shell-quote is a lightweight and efficient npm package designed for parsing and quoting shell commands, crucial for applications needing to interact with shell environments. Version 1.3.0 builds upon the solid foundation of version 1.2.0, offering subtle but potentially important updates for developers. Both versions share the same MIT license and are authored by James Halliday, ensuring continued open-source availability and consistent author support. The repository remains constant, indicating no fundamental shift in the project's structure or maintenance strategy.
The key differences lie primarily in the development dependencies. Version 1.3.0 upgrades the 'tap' testing framework dependency from '~0.4.0' to '~0.4.2' and 'tape' from '~0.3.3' to '~1.0.2'. While seemingly minor, these dependency updates can reflect improvements in testing rigor and compatibility. Upgrading 'tape' to a 1.x version represents a more substantial change, potentially introducing new features or API adjustments in the testing environment, which might influence how contributions are validated, indirectly affecting developer workflows during contribuitons. The release dates reveal version 1.3.0 was published shortly after version 1.2.0, which can hint at bug fixes or minor feature enhancements. Developers should consider these dependency upgrades impacting testing when choosing between the two versions, opting for version 1.3.0 if they seek the latest testing tools, potentially greater stability, and the most up-to-date maintenance efforts.
All the vulnerabilities related to the version 1.3.0 of the package
Potential Command Injection in shell-quote
Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.
The following characters are not escaped properly: >,;,{,}
Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.
const quote = require('shell-quote').quote;
console.log(quote(['a;{echo,test,123,234}']));
// Actual "a;{echo,test,123,234}"
// Expected "a\;\{echo,test,123,234\}"
// Functional Equivalent "a; echo 'test' '123' '1234'"
Update to version 1.6.1 or later.