Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trying to get in touch regarding a security issue #1058

Closed
JamieSlome opened this issue Dec 27, 2021 · 5 comments · Fixed by #1060
Closed

Trying to get in touch regarding a security issue #1058

JamieSlome opened this issue Dec 27, 2021 · 5 comments · Fixed by #1060
Labels
exec Issues specific to the shell.exec() API fix Bug/defect, or a fix for such a problem high priority security
Milestone
v0.8.5

Comments

@JamieSlome
Copy link

Hey there!

I belong to an open source security research community, and a member (@Haxatron) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)
@Haxatron
Copy link

Report is located here https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c (only maintainers with write permissions can view)

This issue is different from the known issues listed here https://github.com/shelljs/shelljs/wiki/Security-guidelines

@nfischer
Copy link
Member

Thanks for reaching out. I sent an email to @Haxatron earlier today. I'll review this report over the next few days and decide on next steps (if any).

nfischer added a commit that referenced this issue Jan 7, 2022
@nfischer
fix(exec): lockdown file permissions
118539f 
This locks down file permissions used by the internal implementation of
`shell.exec()`.

Issue #1058
Tested manually using the documented scenarios
@nfischer nfischer mentioned this issue Jan 7, 2022
Merged
nfischer added a commit that referenced this issue Jan 7, 2022
@nfischer
fix(exec): lockdown file permissions (#1060)
003a39d 
This locks down file permissions used by the internal implementation of
`shell.exec()`.

Issue #1058
Tested manually using the documented scenarios
nfischer added a commit that referenced this issue Jan 7, 2022
@nfischer
fix(exec): lockdown file permissions (#1060)
d919d22 
This locks down file permissions used by the internal implementation of
`shell.exec()`.

Issue #1058
Tested manually using the documented scenarios
@nfischer nfischer added security fix Bug/defect, or a fix for such a problem exec Issues specific to the shell.exec() API labels Jan 7, 2022
@nfischer nfischer linked a pull request Jan 7, 2022 that will close this issue
fix(exec): lockdown file permissions #1060
Merged
@nfischer nfischer added this to the v0.8.5 milestone Jan 7, 2022
nfischer added a commit that referenced this issue Jan 7, 2022
@nfischer
chore: add SECURITY.md
ab04185 
No change to code. This adds a security policy.

Issue #1058
@nfischer nfischer mentioned this issue Jan 7, 2022
Merged
nfischer added a commit that referenced this issue Jan 7, 2022
@nfischer
chore: add SECURITY.md (#1061)
b4daff5 
No change to code. This adds a security policy.

Issue #1058
@nfischer
Copy link
Member

nfischer commented Jan 7, 2022

Thanks for the report. I believe this is a valid issue in ShellJS, so I've created a fix and pushed a release.

  • The patch for this is fix(exec): lockdown file permissions #1060. That PR landed on tip-of-tree (master branch), however I also cherrypicked this onto the 0.8-release branch.
  • This fix was released in 0.8.5. The patch for this bug is the only change between 0.8.4 and 0.8.5.
  • I'm trying to figure out a nice way to edit the CHANGELOG.md to explain what went into these two versions, but this doesn't work well with the tool we use to automate changelog generation. I'll need to think a bit more about how to mix manual edits with autogenerated changelog.
  • I added a SECURITY.md in chore: add SECURITY.md #1061. For future reference, the best way to get in contact with me for security issues is with the email address in that page.

If you believe this patch is insufficient, please let me know privately via email and I'll gladly investigate further.

@nfischer nfischer closed this as completed Jan 7, 2022
@JamieSlome
Copy link
Author

@nfischer - thank you for such an in-depth follow-up of the report.

Would it be possible to confirm the fix commit SHA against the report?

You can also bag a bounty for your work as well! ❤️

nfischer added a commit to shelljs/release that referenced this issue Jan 8, 2022
@nfischer
chore: update ShellJS
ee08f3a 
Update to [email protected]. See
shelljs/shelljs#1058.
nfischer added a commit to nfischer/shelljs-plugin-sleep that referenced this issue Jan 8, 2022
@nfischer
chore: update dependencies
2e2db0c 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.
@nfischer nfischer mentioned this issue Jan 8, 2022
Merged
nfischer added a commit to nfischer/shelljs-plugin-sleep that referenced this issue Jan 8, 2022
@nfischer
chore: update dependencies
3c21ebd 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.
nfischer added a commit to shelljs/changelog that referenced this issue Jan 8, 2022
@nfischer
chore: update deps
77e5241 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.
@nfischer nfischer mentioned this issue Jan 8, 2022
Merged
nfischer added a commit to nfischer/travis-check-changes that referenced this issue Jan 8, 2022
@nfischer
chore: update dependencies
05a72d3 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.

I'm updating some metadata in the package.json. This also bumps engines
to node v8 because I think ShellJS is the only consumer of this package.
@nfischer nfischer mentioned this issue Jan 8, 2022
Merged
nfischer added a commit to shelljs/plugin-open that referenced this issue Jan 8, 2022
@nfischer
chore: fix dependencies
99a7034 
This downgrades mocha and eslint for node v4. This upgrades shelljs and
related dependencies, which includes shelljs/shelljs#1058.
@nfischer nfischer mentioned this issue Jan 8, 2022
Merged
nfischer added a commit to nfischer/shelljs-exec-proxy that referenced this issue Jan 8, 2022
@nfischer
chore: update dependencies
f9f452a 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.
@nfischer nfischer mentioned this issue Jan 8, 2022
Merged
nfischer added a commit to shelljs/shx that referenced this issue Jan 9, 2022
@nfischer
chore: update dependencies
34f139a 
No change to logic. This updates dependencies, which includes
shelljs/shelljs#1058.
This was referenced Dec 14, 2023
Closed
Closed
Closed
Closed
Closed
This was referenced Dec 25, 2023
Closed
Closed
Closed
Closed
This was referenced Jan 2, 2024
Closed
Closed
Closed
Closed
This was referenced Jan 9, 2024
Closed
Closed
Closed
Closed
Closed
This was referenced Jan 17, 2024
Closed
Closed
Closed
This was referenced Jan 24, 2024
Closed
Closed
jchip pushed a commit to jchip/shcmd that referenced this issue Jun 23, 2024
@nfischer @jchip
fix(exec): lockdown file permissions (shelljs#1060)
872e46d 
This locks down file permissions used by the internal implementation of
`shell.exec()`.

Issue shelljs#1058
Tested manually using the documented scenarios
@nurrony nurrony mentioned this issue Sep 8, 2024
Open
@UbyXsofT UbyXsofT mentioned this issue Sep 8, 2024
Open
@roma8389 roma8389 mentioned this issue Sep 8, 2024
Open
This was referenced Sep 12, 2024
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
exec Issues specific to the shell.exec() API fix Bug/defect, or a fix for such a problem high priority security
Projects
None yet
Milestone
v0.8.5
Development

Successfully merging a pull request may close this issue.

fix(exec): lockdown file permissions shelljs/shelljs
3 participants
@nfischer @JamieSlome @Haxatron