Headline
CVE-2022-31179: Release Release v1.5.8 · ericcornelissen/shescape
Shescape is a simple shell escape package for JavaScript. Versions prior to 1.5.8 were found to be subject to code injection on windows. This impacts users that use Shescape (any API function) to escape arguments for cmd.exe on Windows An attacker can omit all arguments following their input by including a line feed character ('\n') in the payload. This bug has been patched in [v1.5.8] which you can upgrade to now. No further changes are required. Alternatively, line feed characters ('\n') can be stripped out manually or the user input can be made the last argument (this only limits the impact).
Compare
Choose a tag to compare
github-actions released this
v1.5.8
This tag was signed with the committer’s verified signature.
ericcornelissen Eric Cornelissen
GPG key ID: 76670872666D0F19
Learn about vigilant mode.
8b6a0ee
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: 4AEE18F83AFDEB23
Learn about vigilant mode.
Compare
Choose a tag to compare
- Fix escaping of line feed characters for Bash, Dash, and Zsh on Unix systems. (#332)
- Fix escaping of line feed and carriage return characters for PowerShell and CMD on Windows systems. (#332)
- Fix escaping of ~ and { for Bash on Unix systems with input strings containing line terminating characters. (#332)