huntr - Remote Code Execution Fix

[huntr-helper]

https://app.huntr.dev/users/mufeedvh has fixed a security vulnerability (Remote Code Execution) 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/!

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1

[JamieSlome]

@onkis @mooz @toddself - any updates on this?

[toddself]

I am generally against console.log calls in libraries -- it can cause issues with CI systems and being that this library doesn't log ever, very unexpected.

I would suggest rather than rejecting this, you should strip them out from the command and run with the characters stripped out.

Additionally, this needs tests to prove that it doesn't interfere with legitimate uses of this libary.

[JamieSlome]

@toddself - I have passed this feedback on to the original contributor (@mufeedvh) - they will comment shortly. Thanks! 👍

In the meantime, there is some information in the original merge request that is of value (418sec#1).

[toddself]

@JamieSlome i'm confused that this was fixed somewhere on a fork first? ¯_(ツ)_/¯

Yeah, there is a remote code execution issue here, but the risk is pretty low I feel -- you'd have to be passing in non-sanitized input from a remote source to invoke this. If the OP would update their PR with the requested changes I'd be happy to merge it, although I do not have publish permissions on npm for this package.

[JamieSlome]

@toddself - it was fixed through the huntr bug bounty platform. We request users to fork "our fork" to then do quality checks on the submitted security fixes.

We can await comments and updates from the original contributor and go from there! 🍰