Vulnerability in ShellJS subpackage

[Zaky7]

Vulnerability in Shelljs Sub Package

Hi Everyone,

I got a message from Git for Vulnerability in Shelljs sub dependency of Jenkins-mocha. After searching I found out this https://github.com/shelljs/shelljs/commit/7a9f8e5b7547132ea3f7e4fa47356a94d1156bb3#commitcomment-34212214

The Developer of Shelljs is clarifying that, it is not an issue but misuse of shell.exec(). My query is that whether in the Jenkins-mocha, we are taking the required precautions https://github.com/shelljs/shelljs/wiki/Security-guidelines to make sure that command Injection vulnerability could not be reproduced. So that I can safely ignore the vulnerability warning.

[Zaky7]

@stjohnjohnson Are we sanitizing the input to shell.exec() function in jenkins-mocha?

[stjohnjohnson]

No. Its a passthru of your commands to Jenkins-mocha CLI directly through to mocha CLI.

This tool is a fancy wrapper of the mocha CLI. If this were a library, I would be concerned. But it’s a CLI.

If you can execute this command on your terminal, then it should be okay to let you execute other commands on your terminal.

On Sun, Aug 25, 2019 at 04:25 Zakir notifications@github.com wrote:

@stjohnjohnson https://github.com/stjohnjohnson Are we sanitizing the input to shell.exec() function in jenkins-mocha?

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/stjohnjohnson/jenkins-mocha/issues/41?email_source=notifications&email_token=AAEX34NIR5VLHAA52ET3XSDQGJTY3A5CNFSM4IO4H4P2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CRTQI#issuecomment-524622273, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEX34MU5UPATUEATBWVSNDQGJTY3ANCNFSM4IO4H4PQ .

--

• St. John

[Zaky7]

I agree with you, for a Cli it won't be a big issue. thank for your response.