Rust Shlex Crate Command Injection Vulnerability

A command injection vulnerability has been identified in the shlex crate for Rust, affecting versions prior to 1.2.1. The issue arises from the failure to properly quote and escape certain characters in command arguments. Specifically, unquoted instances of the '{' character and the non-breaking space character (represented as '\xa0') can lead to command injection by allowing multiple arguments to be injected where only one is expected. This could potentially result in arbitrary command execution, depending on the context.

Impact

Exploitation of this vulnerability could lead to command injection, allowing an attacker to execute arbitrary commands in the context of the application.

Reproduction

The vulnerability can be reproduced by using the 'shlex' crate version prior to 1.2.1 and passing command arguments that include unquoted '{' or '\xa0' characters. The 'quote' or 'join' functions can be used to demonstrate the issue, as the unescaped characters may be interpreted incorrectly when the output is passed to a shell.

Remediation

Users are advised to update the shlex crate to version 1.3.0 or later, which addresses the vulnerability by properly escaping the problematic characters. Version 1.2.1 also provides a minimal fix.