TerenYeung
commented
3 years ago If an attacker controls the configuration file, they can execute arbitrary commands with this software. The variables at https://github.com/TerenYeung/poeditor-cli/blob/master/packages/commands/push.js#L93 are not escaped at all.
If your configuraiton file has been controlled by attacker, it means that he has administrator's permission because file IO can be handled by others
If an attacker controls the configuration file, they can execute arbitrary commands with this software. The variables at https://github.com/TerenYeung/poeditor-cli/blob/master/packages/commands/push.js#L93 are not escaped at all.