glob Command-Line Interface Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the glob command-line interface (CLI) version 10.3.7 prior to 11.0.3. The issue arises in the '-c/--cmd' option, where matched filenames are passed to a shell with 'shell: true'. This allows shell metacharacters in filenames to trigger command injection, leading to arbitrary code execution under the user's or CI account's privileges. The vulnerability exists only in the CLI component, not in the core glob library API.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with the full privileges of the user running the glob CLI. This could lead to unauthorized access to environment variables, the file system, and network resources.

Reproduction

To reproduce this vulnerability, create a file with a name that includes a command injection payload, such as a command substitution expression. Then, run the glob CLI with the '-c' option, specifying a command that will be executed. The injected command will be executed by the shell, demonstrating the command injection vulnerability.

Remediation

Users are advised to upgrade to glob version 11.1.0 or higher. If any glob CLI actions fail after the upgrade, convert commands containing positional arguments to use the '--cmd-arg' or '-g' option instead. As a last resort, the '--shell' option can be used to maintain the 'shell:true' behavior until glob version 12, but ensure that no untrusted content can be encountered in the file path results.