Trying to get in touch regarding a security issue

[JamieSlome]

Hey there!

I belong to an open source security research community, and a member (@Haxatron) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

[Haxatron]

Report is located here https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c (only maintainers with write permissions can view)

This issue is different from the known issues listed here https://github.com/shelljs/shelljs/wiki/Security-guidelines

[nfischer]

Thanks for reaching out. I sent an email to @Haxatron earlier today. I'll review this report over the next few days and decide on next steps (if any).

[nfischer]

Thanks for the report. I believe this is a valid issue in ShellJS, so I've created a fix and pushed a release.

• The patch for this is fix(exec): lockdown file permissions #1060. That PR landed on tip-of-tree (master branch), however I also cherrypicked this onto the 0.8-release branch.
• This fix was released in 0.8.5. The patch for this bug is the only change between 0.8.4 and 0.8.5.
• I'm trying to figure out a nice way to edit the CHANGELOG.md to explain what went into these two versions, but this doesn't work well with the tool we use to automate changelog generation. I'll need to think a bit more about how to mix manual edits with autogenerated changelog.
• I added a SECURITY.md in chore: add SECURITY.md #1061. For future reference, the best way to get in contact with me for security issues is with the email address in that page.

If you believe this patch is insufficient, please let me know privately via email and I'll gladly investigate further.