Shell-quote is a lightweight npm package designed for parsing and quoting shell commands in JavaScript environments. Versions 1.5.0 and 1.6.0 share a common foundation, both providing essential functionalities for manipulating shell commands. Developers leveraging this library can effectively parse complex command-line strings into structured data or safely quote strings to prevent command injection vulnerabilities, a crucial aspect for security-conscious applications.
Both versions include core dependencies such as jsonify, array-map, array-filter, and array-reduce, indicating a reliance on functional programming paradigms and JSON handling. Development dependencies are kept simple with tape used for testing the library. The license for both versions is MIT, so developers can use the package without restrictions and freedom to contribute to the project.
The key difference between the two versions lies in their release dates, which suggests that version 1.6.0, released on April 24, 2016, likely incorporates bug fixes, performance improvements, or minor feature enhancements compared to version 1.5.0, released on March 16, 2016. While the core functionalities remain consistent, upgrading to version 1.6.0 is recommended to benefit from the latest improvements and ensure compatibility with potentially evolving project requirements. Developers needing a robust shell command parsing and quoting solution will find shell-quote a valuable tool, with version 1.6.0 representing the slightly refined and more current option.
All the vulnerabilities related to the version 1.6.0 of the package
Potential Command Injection in shell-quote
Affected versions of shell-quote do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments.
The following characters are not escaped properly: >,;,{,}
Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of {} and using the , instead of to seperate arguments. Because of this, full command injection is possible even though it was initially thought to be impossible.
const quote = require('shell-quote').quote;
console.log(quote(['a;{echo,test,123,234}']));
// Actual "a;{echo,test,123,234}"
// Expected "a\;\{echo,test,123,234\}"
// Functional Equivalent "a; echo 'test' '123' '1234'"
Update to version 1.6.1 or later.