[Minor-Security] String formatting function is prone to misuse / abuse
espoal opened this issue · comments
Alberto Esposito commented
Is there an existing issue for this?
- I have searched the existing issues
Current behavior
The string formatting function is prone to misuse / abuse, due to poor behaviour on special characters.
In a monorepo setup you could overwrite the main package.json
by mistake.
With a little bit of creativity it's possible to use shell expansion to do a bit of damage to the filesystem by overwriting possibly important files.
Minimum reproduction code
https://github.com/espoal/kebab-or-snake
Steps to reproduce
Type
nest new -s
When prompted for a name give
$test
Expected behavior
The $
should be dropped from the name (or kept) and the app should be created in the test
($test
) folder.
Package version
10.1.7
NestJS version
No response
Node.js version
18.16.1
In which operating systems have you tested?
- macOS
- Windows
- Linux
Other
Incidentally, this issue is fixed by these PRs:
Kamil Mysliwiec commented
Let's track this here then #2208