Shopify ejson2env Command Injection Vulnerability

A command injection vulnerability has been identified in the Shopify ejson2env tool, prior to version 2.0.8. The issue arises from improper sanitization of output when decrypting EJSON secrets. This flaw allows malicious content in variable names or values to be executed as commands in the host environment. The vulnerability can be exploited if the output from ejson2env is used in command execution, such as with 'source' or 'eval'.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host system.

Reproduction

The vulnerability can be reproduced by using ejson2env to decrypt EJSON files that contain maliciously crafted variable names or values. The unsanitized output can then be executed in a shell, leading to command injection.

Remediation

Users are advised to update ejson2env to version 2.0.8 or later, which includes the necessary output sanitization. For those unable to update, it is recommended to avoid decrypting untrusted user secrets with ejson2env, or to manually remove nonprintable characters from the output before evaluation.