Is this a vulnerability on Windows ?

[Simon Michael]

https://github.com/simonmichael/hledger/issues/2149#issuecomment-2089742882

> > I made 1.33 require process >=1.6.19.0 because it fixes a command injection vulnerability on Windows ([HSEC-2024-0003] (https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md), [CERT CC VU#123335] (https://www.kb.cert.org/vuls/id/123335)).

> > 

> > But I seem to be ahead of the ecosystem here, and the advisory says:

> > 

> > > When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a command injection vulnerability arises when the following conditions are satisfied:

> > > 

> > > * Program running on Windows

> > > * Program executes a .bat or .cmd file

> > > * The argument values include or are influenced by program input

> > 

> > So it's not obvious how this could cause a vulnerability in the hledger tools, and perhaps it's ok to relax our process lower bound.

> 

> Well on the other hand..

> 

> * hledger runs on Windows

> * the hledger CLI can execute a .bat or .cmd file (.bat I'm sure of) if it is considered an add-on (named hledger-*, in PATH)

> * The argument values are influenced by program input, since on the command line you can provide any arguments you like for the add-on command

> 

> So, is it in fact possible to do something bad by having a `hledger-foo.bat` in PATH and then running `hledger.exe foo bad args` on Windows ?