Pensar - auto fix for Command Injection via Unsanitized Project Name Input

[pensarapp]

Fixed an OS Command Injection vulnerability (CWE-78) by adding input validation for the user-supplied project name. The fix adds a regex check (/^[a-zA-Z0-9_-]+$/) after collecting the user input to ensure the appName only contains alphanumeric characters, underscores, and dashes. If the validation fails, the script displays an error message and exits, preventing any potentially dangerous characters from being included in the shell command that is executed via execSync(). This prevents attackers from injecting malicious commands through the project name input.

More Details

Type	Identifier	Message	Severity	Link
Application	CWE-78, CWE-20	The application builds a shell command using user-supplied input (appName) without thorough sanitization. Although the input is trimmed, an attacker could potentially inject malicious shell commands, leading to OS Command Injection (CWE-78). This vulnerability arises because the command string includes unsanitized data from a low-trust source crossing into a sensitive execution context (child_process.execSync). The risk is compounded by the direct execution of the constructed command. While default values and prompts mitigate the risk in controlled environments, if an attacker can manipulate the input, they might execute unintended commands. This is considered a true positive vulnerability.	high	Link

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
simpl-cms-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 1, 2025 7:21am