Ericcornelissen

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 2.1.9 **Description** Shescape is a JavaScript shell escape library. A flaw exists where an attacker may be able to bypass escaping for the shell being used, potentially leading to exposure of sensitive information. This issue impacts users who configure the `shell` option to point to a file on disk that is a symbolic link to another symbolic link. The outcome of a successful exploit depends on the specific shell in use and how Shescape identifies it. The provided proof of concept demonstrates the bypass using a crafted payload with the `userInput` variable and the `shescape.escape()` function. The example uses the `/api/v1/exec` endpoint to execute commands. **Recommendations** Versions prior to 2.1.9 should be upgraded to version 2.1.9 or later. If upgrading is not possible, avoid using a shell or ensure the configured shell path is not a link to a link.

**Name of the Vulnerable Software and Affected Versions** Deno versions prior to 1.41.1 **Description** Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. **Recommendations** For Deno versions prior to 1.41.1, update to Deno 1.41.1 to resolve the issue. As a temporary workaround, consider restricting the use of the `Deno.makeTemp*` APIs to prevent potential exploitation. Avoid using prefixes or suffixes containing path traversal characters in the `Deno.makeTemp*` APIs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 1.7.4 **Description** The issue affects users of Shescape on Windows in a threaded context, allowing attackers to bypass protections by exploiting Shescape's failure to correctly escape for the expected shell. This can occur when the expected default system shell is different from the one actually used, such as when configuring the use of PowerShell but Shescape defaults to escaping for CMD instead. **Recommendations** For versions prior to 1.7.4, upgrade to version 1.7.4 to resolve the issue. If you are impacted and cannot upgrade immediately, be aware that there is no workaround possible for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 1.7.1 **Description** An attacker may be able to get read-only access to environment variables. This issue affects users of Shescape on Windows using the Windows Command Prompt, and when using `quote`/`quoteAll` or `escape`/`escapeAll` with the `interpolation` option set to `true`. For example, an attacker can exploit this by using a payload like `%PATH%` in the `shescape.quote()` or `shescape.escape()` functions, allowing them to access the contents of the PATH environment variable. **Recommendations** For versions prior to 1.7.1, upgrade to version 1.7.1 to patch the bug. As a temporary workaround, consider removing all instances of `%` from user input, either before or after using Shescape, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 1.5.10 Shescape version 1.5.9 for Bash **Description** An Inefficient Regular Expression Complexity issue affects Shescape users who utilize it to escape arguments for Unix shells, including Bash and Dash, particularly when using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. This allows an attacker to cause polynomial backtracking or quadratic runtime in terms of the input string length due to vulnerable Regular Expressions. A workaround involves enforcing a maximum length on input strings to reduce the vulnerability's impact. **Recommendations** For versions prior to 1.5.10, update to version 1.5.10 or later. For version 1.5.9 used with Bash, update to version 1.5.10 or later. As a temporary workaround, consider enforcing a maximum length on input strings to Shescape to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 1.5.8 **Description** The issue impacts users of the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. If an attacker can include whitespace in their input, they can invoke shell-specific behavior or arbitrary commands through various means, including shell-specific special characters, line feed, or carriage return characters. This affects multiple shells, including Bash, Dash, Zsh, and PowerShell. **Recommendations** To resolve the issue, upgrade to version 1.5.8 or later. No further changes are required. As a temporary workaround, consider avoiding the use of the `interpolation: true` option, as using an alternative is often possible. See the recipes for recommendations. Alternatively, users may strip all whitespace from user input, but note that this approach is error-prone and may require additional considerations, such as stripping `'u0085'` for PowerShell, which is not included in JavaScript's definition of `s` for Regular Expressions.

**Name of the Vulnerable Software and Affected Versions** Shescape versions prior to 1.5.8 **Description** The issue impacts users of Shescape who use any API function to escape arguments for cmd.exe on Windows. An attacker can omit all arguments following their input by including a line feed character (` `) in the payload. This allows for code injection on Windows. **Recommendations** For versions prior to 1.5.8, upgrade to version 1.5.8 to resolve the issue. No further changes are required. Alternatively, line feed characters (` `) can be stripped out manually or the user input can be made the last argument to limit the impact.

**Name of the Vulnerable Software and Affected Versions** shescape versions 1.4.0 through 1.5.1 **Description** The issue allows for exposure of the home directory on Unix systems when using Bash with the `escape` or `escapeAll` functions from the shescape API with the `interpolation` option set to `true`. Other tested shells, Dash and Zsh, are not affected. Depending on how the output of shescape is used, directory traversal may be possible in the application using shescape . **Recommendations** For versions 1.4.0 through 1.5.1, update to version 1.5.1 to resolve the issue. As a temporary workaround, consider manually escaping all instances of the tilde character (`~`) using `arg.replace(/~/g, "~")`.

**Name of the Vulnerable Software and Affected Versions** shescape versions prior to 1.1.3 **Description** The issue affects shescape, a simple shell escape package for JavaScript, where users may still be vulnerable to shell injection if an attacker manages to insert a null character into the payload. This can be exploited, for example, by inserting a null character in a payload on Windows. The problem has been patched in version 1.1.3. **Recommendations** For versions prior to 1.1.3, upgrade to version 1.1.3 to resolve the issue. As a temporary workaround, consider stripping out null characters manually using a method like `arg.replace(/u{0}/gu, "")` until the upgrade to version 1.1.3 is applied.