Is this a vulnerability on Windows ?

1 view
Skip to first unread message

Simon Michael

May 2, 2024, 2:58:29 AMMay 2

> > I made 1.33 require process >= because it fixes a command injection vulnerability on Windows ([HSEC-2024-0003] (, [CERT CC VU#123335] (
> > 
> > But I seem to be ahead of the ecosystem here, and the advisory says:
> > 
> > > When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a command injection vulnerability arises when the following conditions are satisfied:
> > > 
> > > * Program running on Windows
> > > * Program executes a .bat or .cmd file
> > > * The argument values include or are influenced by program input
> > 
> > So it's not obvious how this could cause a vulnerability in the hledger tools, and perhaps it's ok to relax our process lower bound.

> Well on the other hand..

> * hledger runs on Windows
> * the hledger CLI can execute a .bat or .cmd file (.bat I'm sure of) if it is considered an add-on (named hledger-*, in PATH)
> * The argument values are influenced by program input, since on the command line you can provide any arguments you like for the add-on command

> So, is it in fact possible to do something bad by having a `hledger-foo.bat` in PATH and then running `hledger.exe foo bad args` on Windows ?

Reply all
Reply to author
0 new messages