> >
> > But I seem to be ahead of the ecosystem here, and the advisory says:
> >
> > > When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a command injection vulnerability arises when the following conditions are satisfied:
> > >
> > > * Program running on Windows
> > > * Program executes a .bat or .cmd file
> > > * The argument values include or are influenced by program input
> >
> > So it's not obvious how this could cause a vulnerability in the hledger tools, and perhaps it's ok to relax our process lower bound.
>
> Well on the other hand..
>
> * hledger runs on Windows
> * the hledger CLI can execute a .bat or .cmd file (.bat I'm sure of) if it is considered an add-on (named hledger-*, in PATH)
> * The argument values are influenced by program input, since on the command line you can provide any arguments you like for the add-on command
>
> So, is it in fact possible to do something bad by having a `hledger-foo.bat` in PATH and then running `hledger.exe foo bad args` on Windows ?