Deno Command Injection Vulnerability via Case-Insensitive Batch File Extension Bypass

A command injection vulnerability has been identified in Deno, a runtime for JavaScript, TypeScript, and WebAssembly, prior to version 2.5.6. The issue arises from an incomplete fix that aimed to prevent the execution of Windows batch files by returning an error when a file path's extension matched .bat or .cmd. However, this check was case-sensitive and could be bypassed by using alternate casing, such as .BAT or .Bat. As a result, user-controlled arguments could be passed to a spawned batch script, leading to command-line injection. This vulnerability has been patched in Deno version 2.5.6.

Impact

Exploitation of this vulnerability allows for command injection on Windows systems by passing arguments to a spawned batch file, which can then be executed as commands.

Reproduction

To reproduce this vulnerability, create a Deno script that spawns a command using a file with a .BAT extension, but use an uppercase extension, such as 'test.BAT'. Include arguments that invoke a Windows application, such as 'calc.exe'. When the script is executed, the specified application will launch, demonstrating the successful bypass of the extension check and the injection of the command through the batch file.

Remediation

Users are advised to update Deno to version 2.5.6 or later.