workbox icon indicating copy to clipboard operation
workbox copied to clipboard
verified publisher icon GoogleChrome

fix(updateServer): uncontrolled command line via `execFileSync`

Open odaysec opened this issue 6 months ago • 0 comments

https://github.com/GoogleChrome/workbox/blob/e26d8d7507f9412ba029922f3d9920e68710f2cf/demos/src/workbox-window/updateServer.js#L20-L20

https://github.com/GoogleChrome/workbox/blob/e26d8d7507f9412ba029922f3d9920e68710f2cf/demos/src/workbox-window/updateServer.js#L32-L35

Fix the issue the code should avoid interpolating untrusted user input directly into a shell command. Instead, use safer alternatives such as execFileSync, which accepts arguments as an array and does not spawn a shell by default. This approach prevents command injection by treating each argument as a literal value rather than part of a shell command. Additionally, validate the repoUrl input to ensure it conforms to expected patterns (e.g., a valid URL or repository name).

Steps to fix:

  1. Replace execSync with execFileSync to avoid spawning a shell.
  2. Pass the repoUrl as an argument in an array to execFileSync.
  3. Validate repoUrl to ensure it is a safe and expected value (e.g., using a regular expression or an allowlist).

Code that passes untrusted user input directly to child_process.exec or similar APIs that execute shell commands allows the user to execute malicious code.

References shell-quote

odaysec avatar Jun 02 '25 00:06 odaysec