Headline
CVE-2023-35931: Test coverage for environment variables by ericcornelissen · Pull Request #982 · ericcornelissen/shescape
Shescape is a simple shell escape library for JavaScript. An attacker may be able to get read-only access to environment variables. This bug has been patched in version 1.7.1.
Relates to #976
Summary
Improve testing w.r.t. protection against injection of environment variables. Fix a bug uncovered by these new tests in escaping for CMD, which did not cover escaping for environment variables before this Pull Request.
As of this Pull Request the escaping of environment variables when using quote(All) is not perfect in that it adds unexpected characters to the string received by the target program. A solution for this was not found in time, but pushing out any solution for the environment variables bug is seen as more important. EDIT: See #986 for a followup.