Open Zaky7 opened 5 years ago
@stjohnjohnson Are we sanitizing the input to shell.exec() function in jenkins-mocha?
No. Its a passthru of your commands to Jenkins-mocha CLI directly through to mocha CLI.
This tool is a fancy wrapper of the mocha CLI. If this were a library, I would be concerned. But it’s a CLI.
If you can execute this command on your terminal, then it should be okay to let you execute other commands on your terminal.
On Sun, Aug 25, 2019 at 04:25 Zakir notifications@github.com wrote:
@stjohnjohnson https://github.com/stjohnjohnson Are we sanitizing the input to shell.exec() function in jenkins-mocha?
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/stjohnjohnson/jenkins-mocha/issues/41?email_source=notifications&email_token=AAEX34NIR5VLHAA52ET3XSDQGJTY3A5CNFSM4IO4H4P2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD5CRTQI#issuecomment-524622273, or mute the thread https://github.com/notifications/unsubscribe-auth/AAEX34MU5UPATUEATBWVSNDQGJTY3ANCNFSM4IO4H4PQ .
--
- St. John
I agree with you, for a Cli it won't be a big issue. thank for your response.
Vulnerability in Shelljs Sub Package
Hi Everyone,
I got a message from Git for Vulnerability in Shelljs sub dependency of Jenkins-mocha. After searching I found out this https://github.com/shelljs/shelljs/commit/7a9f8e5b7547132ea3f7e4fa47356a94d1156bb3#commitcomment-34212214
The Developer of Shelljs is clarifying that, it is not an issue but misuse of
shell.exec().
My query is that whether in the Jenkins-mocha, we are taking the required precautions https://github.com/shelljs/shelljs/wiki/Security-guidelines to make sure that command Injection vulnerability could not be reproduced. So that I can safely ignore the vulnerability warning.