Shescape Bracket Glob Syntax Escaping Vulnerability in Bash, BusyBox, and Dash

A vulnerability exists in Shescape, a shell escape library for JavaScript, in versions prior to 2.1.10. The issue arises because the Shescape#escape() function fails to properly escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. This oversight allows attacker-controlled values to be interpreted as multiple filesystem matches, potentially leading to unintended command behavior. The vulnerability is particularly concerning for applications that directly interpolate the escape() return value into shell command strings.

Impact

Exploitation of this vulnerability can lead to argument injection, where a single untrusted argument is expanded into multiple pathname matches from the trusted filesystem. This can disrupt command execution, cause unintended files to be targeted, or result in the leakage of filenames.

Reproduction

The vulnerability can be reproduced by using Shescape version 2.1.9 or earlier. After installing this version, the Shescape#escape() function can be called with a string containing square brackets, such as 'secret[12]'. The escaped output will still include the brackets, allowing the argument to be interpreted as multiple separate matches in the shell. This behavior can be verified by using the 'execSync' function to execute a command with the escaped argument, which will result in multiple matches being returned from the filesystem.

Remediation

Users can upgrade to Shescape version 2.1.10 or later, where this vulnerability has been fixed.