From 68c382221e4b2810d53f1a0277dccc9cc74b8a1f Mon Sep 17 00:00:00 2001 From: Nate Fischer Date: Wed, 26 Jun 2019 08:10:59 -0700 Subject: [PATCH] docs(exec): document security concerns (#950) No change to logic. This adds documentation about `shell.exec()`'s inherent vulnerability to command injection and links to a more detailed security notice. Issue #103, #143, #495, #765, #766, #810, #842, #938, #945 --- README.md | 5 +++++ src/exec.js | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index e01d0fd6..e0c31252 100644 --- a/README.md +++ b/README.md @@ -340,6 +340,11 @@ Not seeing the behavior you want? `exec()` runs everything through `sh` by default (or `cmd.exe` on Windows), which differs from `bash`. If you need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option. +**Note:** as `shell.exec()` executes an arbitrary string in the system +shell, it is **critical** to properly sanitize user input to avoid command +execution. For more context, consult the [Security +guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines). + ### find(path [, path ...]) ### find(path_array) diff --git a/src/exec.js b/src/exec.js index f63fd5bb..e6077a33 100644 --- a/src/exec.js +++ b/src/exec.js @@ -177,6 +177,11 @@ function execAsync(cmd, opts, pipe, callback) { //@ Not seeing the behavior you want? `exec()` runs everything through `sh` //@ by default (or `cmd.exe` on Windows), which differs from `bash`. If you //@ need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option. +//@ +//@ **Note:** as `shell.exec()` executes an arbitrary string in the system +//@ shell, it is **critical** to properly sanitize user input to avoid command +//@ execution. For more context, consult the [Security +//@ guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines). function _exec(command, options, callback) { options = options || {}; if (!command) common.error('must specify command');