search

qlik-oss / enigma.js

JavaScript library for consuming Qlik's Associative Engine.
MIT License
210 stars 82 forks source link

chore(deps): update dependency @npmcli/git to 2.0.8 [security] - autoclosed #906

Closed renovate[bot] closed 2 years ago

renovate[bot] commented 2 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change
@​npmcli/git 2.0.6 -> 2.0.8

GitHub Vulnerability Alerts

GHSA-hxwm-x553-x359

Summary

There exists a command injection vulnerability in npmcli/git versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input.

The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user controlled) Git command arguments.

Impact

Arbitrary Command Injection

Details

npmcli/git prior to release 2.0.8 passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing git+https://github.com/npm/git; echo hello world would trigger the shell execution of echo hello world.

This issue was remediated by no longer running npmcli/git git commands through an intermediate shell.

Patches

This issue has been patched in release 2.0.8

Acknowledgements

This report was reported to us by @​tyage (Ierae Security) through the GitHub Bug Bounty Program.

Configuration

πŸ“… Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by WhiteSource Renovate. View repository job log here.