search

pc035860 / angular-highlightjs

AngularJS directive for syntax highlighting with highlight.js
http://pc035860.github.io/angular-highlightjs/example/
MIT License
294 stars 53 forks source link

Command Injection vulnerability found in shelljs dependency #94

Closed Amir-61 closed 5 years ago

Amir-61 commented 5 years ago

High severity vulnerability found in shelljs Description: Command Injection

From: angular-highlightjs@0.7.1 > highlight.js@9.15.5 > gear-lib@0.9.2 > jshint@2.5.11 > shelljs@0.3.0

Please see: https://github.com/shelljs/shelljs/issues/810 and https://github.com/shelljs/shelljs/pull/524#issuecomment-507152989

TLDR is: There is no security fix on shelljs; they recommendation is If you do use shell.exec(), don't pass untrusted user input (or other external values) to the function--string literals are of course the safest option.

From: https://github.com/shelljs/shelljs/issues/810#issuecomment-356835680

pc035860 commented 5 years ago

HI, thanks for reporting the vulnerability.

Since its in the highlight.js dependency, and they seem already resolved it. I think all you need to do is reinstall the package to upgrade the dependency.

Close the issue for now.

Amir-61 commented 5 years ago

Thanks. Yes I verified the issue got resolved; also commented: https://github.com/highlightjs/highlight.js/issues/2067#issuecomment-508785741