Full Report
The package shell-quote's whole existence is around handling commands securely on the server-side. The main way the escaping was done, was via regex. The Regex had a hilarious bug in it. It was simply A-z. What does this do? Get all ASCII characters from A-Z, a-z and everything in between. What they meant was [A-Za-z]. What's in the middle? :,;, , =, >, ? and @ were now allowed in the command. In particular, the semicolon could finish a bash command, only to start a new one. Fascinating to see a bug destroy the whole existence of the package.
Analysis Summary
# Vulnerability: Command Injection via Improper Shell Quoting in shell-quote
## CVE Details
- CVE ID: CVE-2021-42740
- CVSS Score: Not explicitly provided; assumed **High** due to command injection potential.
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) - based on exploitation path.
## Affected Systems
- Products: `shell-quote` npm package
- Versions: v1.6.3 through v1.7.2
- Configurations: Applications that pass untrusted input through the `shell-quote` package's `quote()` function for shell execution.
## Vulnerability Description
The `shell-quote` package, version 1.7.2 and earlier, used a regular expression for quoting arguments when single or double quotes were not preferred. The vulnerable regex contained the character class `[A-z]` near the beginning of the replacement pattern:
javascript
return String(s).replace(/([A-z]:)?([#!"$&'()*,:;?@\[\\\]^`{|}])/g, '$1\\$2');
The character class `[A-z]` incorrectly includes all ASCII characters between 'A' (65) and 'z' (122), which are uppercase letters, lowercase letters, and **symbols** such as `[\]^_`` (backtick and others). Specifically, this allowed metacharacters that are not letters, such as the **semicolon (`;`)**, to pass through unquoted when they should have been escaped, leading to potential command injection if the quoted string is executed by a shell. The intended character class was likely `[A-Za-z]`.
## Exploitation
- Status: **PoC available** (The researcher stated they will publish a sample exploit, implying its creation).
- Complexity: **Low** if the application uses the output directly in shell execution (RCE potential).
- Attack Vector: Primarily **Network** if untrusted input comes from a remote source, leading to Remote Code Execution (RCE).
## Impact
- Confidentiality: **High** (Potential for data exfiltration and system information disclosure via RCE).
- Integrity: **High** (Potential for unauthorized modification or deletion of data via RCE).
- Availability: **High** (Potential for denial of service or system compromise via RCE).
## Remediation
### Patches
- Users must update to **`shell-quote` version 1.7.3 or later**, where the character class was corrected to `[A-Za-z]`.
### Workarounds
- If immediate patching is not possible, applications should ensure that any input passed to `quote()` originates from a **trusted source** and is not derived from user input or external network requests.
- Alternatively, ensure that the application uses the `parse()` functionality instead of relying on the output of `quote()` for external command execution, although the primary intended use case involves quoting for execution.
## Detection
- **Indicators of compromise:** Look for unexpected shell metacharacters (especially unescaped semicolons `;`, ampersands `&`, etc.) appearing in command executions originating from processes that utilize the `shell-quote` library for argument preparation.
- **Detection methods and tools:** Static Code Analysis (SCA) tools should flag usage of `shell-quote < 1.7.3`. Runtime monitoring for command execution paths involving untrusted input piped through this library's quoting mechanism.
## References
- Vendor Advisories: Disclosure linked to CVE-2021-42740.
- Relevant Links:
- npm package link: `https://www.npmjs.com/package/shell-quote/v/1.7.3`
- CVE lookup: `https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740`