Thor Unsafe Shell Command Construction Vulnerability Allowing Arbitrary Command Execution

A vulnerability exists in Thor versions prior to 1.4.0, where the application can create an unsafe shell command using input from its own libraries. This flaw could lead to the execution of arbitrary commands on the system. Although the Thor team disputes the existence of this vulnerability, citing that the method in question only accepts arguments controlled by Thor, the potential for misuse remains.

Impact

Exploitation of this vulnerability could allow a malicious user to execute arbitrary commands on the system where Thor is running.

Reproduction

The vulnerability can be reproduced by using a version of Thor prior to 1.4.0 and creating a shell command that includes library input. This can be done by exporting a function that returns a string with special characters, such as quotes or spaces, which the shell would interpret in a specific way. When this input is used to construct a command, it can alter the command's behavior or execute unintended commands.

Remediation

Users can upgrade to Thor version 1.4.0 or later, which addresses this vulnerability. Instructions for updating can be found on the Thor GitHub repository.