New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snyk Vulnerability: Command Injection through shelljs
#29460
Comments
I agree that from what I can tell Angular is not affected by this vulnerability, but nonetheless the inclusion of shelljs does set off false-positives in many scanners. We use Angular for government applications, and the presence of this false-positive has caused quite a bit of consternation. We've had people suggest downgrading our version of Angular because then the threat-level of the vulnerability goes from High to Medium, but we've decided against it because a false-positive is always better than an actual vuln. Shelljs are not able to provide a timeline on this fix. shelljs/shelljs#495 I completely understand it's not your responsibility per se, but I ask you to consider removing shelljs as a dependency. Having a High threat vulnerability, even a false positive, for an indefinite future could hurt or hinder adoption. I don't know how much work it'd be, but considering you only use Thanks! |
This really doesn’t seem like a vulnerability in shelljs either. The functionality provided by the “exec” call is intended to allow an application using the library to execute an arbitrary command. If an application doesn’t sanitize input before calling then the application itself has the security vulnerability not the library. |
I'm using the last version of Angular, and I'm facing the same alert. |
I am re-opening the issue, so we can use it for tracking the resolution of this. FWIW, I still believe that this is a false positive (from what I understand) and the correct resolution would be for the vulnerability reporting tools to stop reporting this. For context: |
I contacted Snyk about this, and got the following response:
So I'm hopeful this will be sorted out the correct way pretty soon. |
Hi all, I work on ShellJS.
I think you misunderstood. This is not a fix, it's my project to implement a feature request. Landing that PR will not "fix" the "vulnerability." I acknowledge I haven't provided a timeline for the feature: my time for ShellJS is very limited and must balance feature work with other work for the module. As such, I have no clue when I can finish that feature, or if a satisfactory solution is even technically feasible.
I agree with what the Angular team has expressed on this thread. The resolution should be for Snyk and similar services to remove this false positive and flag modules which misuse
We've spent years working to get the semantics right for these bash commands, and are still working hard to get proper coverage/behavior. Rewriting from scratch would probably introduce a lot of deviations from the POSIX behavior (and copy-paste might create license issues). So, while I can't stop folks from doing this, I would strongly advise against adding error-prone implementations to replace existing solutions.
Thanks for reaching out @SanderElias! Reading the quoted response, it might be misinterpreted as Snyk is waiting on action from me. My last communication with them was prior to your comment, but they said they need no action from ShellJS or me and they're not currently ready to take down this vulnerability report. But I'm happy to help out within reason if they need further action from ShellJS. |
Hey @nfischer
Agree completely with this. For the record this has always been my prefered resolution; I suggested Angular remove the dependency due to i) the relatively limited use of shelljs ii) my desire for a quick resolution. I've always understood and represented this issue as a false positive. |
Since, 7186f9c `compiler-cli` is no longer depending on `shelljs` for production code. (We still use it in tests and infrastructure/tooling.) Incidentally, this should also help with angular#29460.
It turns out that we no longer use ShellJS in But, again, I believe the correct resolution is for the vulnerability alert to be taken down ✌️ |
Seems like we have a resolution 🎉 shelljs/shelljs#945 (comment)
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
🐞 bug report
Affected Package
The issue is caused by package shelljs which is a dependency for @angular/compiler-cliSeverity
CVSS SCORE 7.0 High SeverityDescription
Shelljs is vulnerable to Command Injection. It is possible to invoke commands from shell.exec() from external sources, allowing an attacker to inject arbitrary commands.🌍 Your Environment
Angular Version:
Anything else relevant?
GitHub Issue 1
GitHub Issue 2
Snyk Report
The text was updated successfully, but these errors were encountered: