-
Notifications
You must be signed in to change notification settings - Fork 735
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trying to get in touch regarding a security issue #1058
Comments
Report is located here https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c (only maintainers with write permissions can view) This issue is different from the known issues listed here https://github.com/shelljs/shelljs/wiki/Security-guidelines |
Thanks for reaching out. I sent an email to @Haxatron earlier today. I'll review this report over the next few days and decide on next steps (if any). |
This locks down file permissions used by the internal implementation of `shell.exec()`. Issue #1058 Tested manually using the documented scenarios
This locks down file permissions used by the internal implementation of `shell.exec()`. Issue #1058 Tested manually using the documented scenarios
This locks down file permissions used by the internal implementation of `shell.exec()`. Issue #1058 Tested manually using the documented scenarios
No change to code. This adds a security policy. Issue #1058
No change to code. This adds a security policy. Issue #1058
Thanks for the report. I believe this is a valid issue in ShellJS, so I've created a fix and pushed a release.
If you believe this patch is insufficient, please let me know privately via email and I'll gladly investigate further. |
Update to shelljs@0.8.5. See shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058. I'm updating some metadata in the package.json. This also bumps engines to node v8 because I think ShellJS is the only consumer of this package.
This downgrades mocha and eslint for node v4. This upgrades shelljs and related dependencies, which includes shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058.
No change to logic. This updates dependencies, which includes shelljs/shelljs#1058.
This locks down file permissions used by the internal implementation of `shell.exec()`. Issue shelljs#1058 Tested manually using the documented scenarios
Hey there!
I belong to an open source security research community, and a member (@Haxatron) has found an issue, but doesn’t know the best way to disclose it.
If not a hassle, might you kindly add a
SECURITY.md
file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.Thank you for your consideration, and I look forward to hearing from you!
(cc @huntr-helper)
The text was updated successfully, but these errors were encountered: