Is this a vulnerability on Windows ?

0 views
Skip to first unread message

Simon Michael

unread,
May 2, 2024, 2:58:29 AMMay 2
to hle...@googlegroups.com

> > I made 1.33 require process >=1.6.19.0 because it fixes a command injection vulnerability on Windows ([HSEC-2024-0003] (https://github.com/haskell/security-advisories/blob/main/advisories/hackage/process/HSEC-2024-0003.md), [CERT CC VU#123335] (https://www.kb.cert.org/vuls/id/123335)).
> > 
> > But I seem to be ahead of the ecosystem here, and the advisory says:
> > 
> > > When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a command injection vulnerability arises when the following conditions are satisfied:
> > > 
> > > * Program running on Windows
> > > * Program executes a .bat or .cmd file
> > > * The argument values include or are influenced by program input
> > 
> > So it's not obvious how this could cause a vulnerability in the hledger tools, and perhaps it's ok to relax our process lower bound.

> Well on the other hand..

> * hledger runs on Windows
> * the hledger CLI can execute a .bat or .cmd file (.bat I'm sure of) if it is considered an add-on (named hledger-*, in PATH)
> * The argument values are influenced by program input, since on the command line you can provide any arguments you like for the add-on command

> So, is it in fact possible to do something bad by having a `hledger-foo.bat` in PATH and then running `hledger.exe foo bad args` on Windows ?



Reply all
Reply to author
Forward
0 new messages