search

dpa99c / cordova-custom-config

Cordova/Phonegap plugin to update platform configuration files based on preferences and config-file data defined in config.xml
318 stars 84 forks source link

Snyk report: High severity vulnerability found in shelljs -> Command Injection #154

Closed gabriele-sacchi closed 5 years ago

gabriele-sacchi commented 5 years ago

Bug Report

Problem

Snyk (https://www.npmjs.com/package/snyk) querying a database of known vulnerabilities revealed this critical security vulnerability:

✗ High severity vulnerability found in shelljs
  Description: Command Injection
  Info: https://snyk.io/vuln/npm:shelljs:20140723
  Introduced through: cordova-android@8.0.0, cordova-ios@5.0.0, cordova-custom-config@5.0.3
  From: cordova-android@8.0.0 > shelljs@0.5.3
  From: cordova-ios@5.0.0 > shelljs@0.5.3
  From: cordova-custom-config@5.0.3 > shelljs@0.7.8

What is expected to happen?

No security vulnerabilities should be found by Snyk

What does actually happen?

High severity security vulnerability found by Snyk

Information

Steps to reproduce:

Command or Code

See above

Environment, Platform, Device

Any

Version information

latest version

Checklist

dpa99c commented 5 years ago

Security analysis tools such as Snyk are intended to highlight vulnerabilities in node.js packages which may be exploited. This may happen when the package is deployed as part of a web application or node.js webserver to a remote, public-facing server in which code could be injected to exploit the vulnerability.

However, this plugin consists of hook scripts which are used to manipulate the native platform projects of a Cordova project on a development machine before building of those projects to create a native app. Since neither those scripts nor the dependencies mentioned are every deployed elsewhere, then the highlighted vulnerabilities are irrelevant since the packages mentioned will never be placed in an environment other than the developer's local machine and therefore in an environment which their vulnerabilities will be exploited.

For this reason, this issue is being closed as not relevant.