Shopify Job Iteration ActiveJob Extension CsvEnumerator Class Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in versions of the Shopify Job Iteration ActiveJob extension through 1.10.0. The issue resides in the CsvEnumerator class, where untrusted input could be exploited to execute commands on the host system, potentially leading to unauthorized access, data leakage, or a complete system compromise. The vulnerability arises from the way file paths are handled, allowing for malicious CSV filenames to be interpolated into command-line operations.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the system where the application is running.

Remediation

The vulnerability is fixed in version 1.11.0. Users can also mitigate the risk by avoiding untrusted input in the CsvEnumerator class and ensuring that file paths are properly sanitized and validated before use. It is recommended to avoid calling the 'count_of_rows_in_file' method with untrusted CSV filenames.