Deno Command Injection Vulnerability in Child Process Polyfill Bypasses Previous Fix

A command injection vulnerability has been identified in Deno versions 2.7.0 and 2.7.1, specifically within the 'node:child_process' polyfill when 'shell: true' is enabled. This vulnerability allows attackers to execute arbitrary operating system commands, bypassing Deno's permission system. The issue arises from a flaw in the argument sanitization process, where arguments containing a '$VAR' pattern are incorrectly wrapped in double quotes instead of single quotes. In POSIX shell, double quotes do not prevent backtick command substitution, enabling the execution of injected commands. The vulnerability can be exploited by controlling the arguments passed to 'spawnSync' or 'spawn' with 'shell: true'.

Impact

Exploitation of this vulnerability allows for OS command injection, with executed commands running at the OS process level and outside of Deno's permission sandbox. Only the '--allow-run' permission is required to execute the injected commands.

Reproduction

To reproduce this vulnerability, use Deno versions 2.7.0 or 2.7.1. Pass user-controlled arguments to the 'spawnSync' or 'spawn' functions with 'shell: true' enabled. The argument sanitization will incorrectly handle '$VAR' patterns, allowing for command injection via backtick command substitution in the shell.

Remediation

Users are advised to avoid using 'shell: true' with 'spawn' or 'spawnSync' and to sanitize or validate inputs if 'shell: true' must be used. The vulnerability is fixed in Deno version 2.7.2.