Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Severe bug with shelljs #1004

Closed
niftylettuce opened this issue Aug 13, 2020 · 5 comments
Closed

Severe bug with shelljs #1004

niftylettuce opened this issue Aug 13, 2020 · 5 comments
Labels

Comments

@niftylettuce
Copy link

@niftylettuce niftylettuce commented Aug 13, 2020

I have discovered a major issue with shelljs, affecting the latest version as of this message.

This has been disclosed along with stack traces and screenshots by email for now to ntfschr@google.com and cthielen@netflix.com.

cc @christopherthielen @nfischer

@christopherthielen
Copy link
Contributor

@christopherthielen christopherthielen commented Aug 13, 2020

I'm just a user of this project, not a member, so I'm unsubscribing from this thread.

@niftylettuce
Copy link
Author

@niftylettuce niftylettuce commented Aug 13, 2020

My mistake @christopherthielen, looked like you were a contributor/member from the commit log but that was just from a PR it appears.

@nfischer nfischer mentioned this issue Aug 13, 2020
@wmertens
Copy link

@wmertens wmertens commented Sep 4, 2020

well this is ominous, and it's still open? How can shelljs have a security vulnerability when it's just wrapping system methods and not providing any privilege escalation?

@nfischer
Copy link
Member

@nfischer nfischer commented Sep 11, 2020

@niftylettuce contacted me separately by email, and I've responded. I was waiting for more information from them, but I think I have an idea what's going on.

If I understand correctly, @niftylettuce (1) believed they were not executing ShellJS and (2) they were surprised to find leftover temp files created by ShellJS.

They privately shared a stack trace which includes this line:

https://github.com/forwardemail/python-dkim-verify/blob/56f7cb95a534c9c267d9831f524b45cd79e56322/index.js#L13-L17

which clearly is executing ShellJS. So I think ShellJS was not acting on its own, and they were mistaken about point (1).

Regarding (2): shell.exec() uses disk IO to implement IPC when operating in sync mode. This generally isn't a problem since ShellJS typically cleans up the temp files when exec() finishes. In this case, they ran out of disk space (not caused by ShellJS) which created an exception and caused exec() to fail without cleaning up the file. This is a bit surprising, but it's not a security issue in my opinion. We could let exec() anticipate this type of error, but it seems rare enough to not be worth it, and I intend to deprecate exec() anyway in the next release (the alternative won't use disk IO for IPC).

Assuming I've understood the concerns correctly and that we agree this is not a security issue, I'm going to consider this "working as intended." If you still think this is a security issue, please elaborate so I can address your concerns.

@nfischer nfischer closed this Sep 11, 2020
@nfischer nfischer added the wontfix label Sep 11, 2020
@wmertens
Copy link

@wmertens wmertens commented Sep 11, 2020

Ah cool. As for (2), until the replacement is ready, an option would be to unlink() the temp files as soon as all parties have a handle to the inode. Then they are pre-cleaned up. This won't work on Windows of course.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.