fix: path traversal via crafted filenames + command injection in --open#96
Open
JasonOA888 wants to merge 1 commit into
Open
Conversation
…--open
Two vulnerabilities across company-research and event-prospecting
compile_report.mjs:
1. Path traversal: slug is derived directly from the markdown filename
via file.replace('.md', ''). A crafted filename like
"../../etc/evil.md" produces slug "../../etc/evil" which, when
passed to join(dir, 'companies', `${slug}.html`), writes outside
the intended output directory. Fix: strip ../ and path separators
from the slug before use.
2. Command injection (--open): execSync(`open "${path}"`) passes
the user-provided directory name through a shell. Directory names
containing $(cmd) or `cmd` are executed by bash inside the
double-quoted string. Fix: use execFileSync('open', [path]) which
bypasses shell interpolation entirely.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two vulnerabilities in
company-researchandevent-prospectingcompile_report.mjs.1. Path traversal via crafted .md filenames
The slug is derived directly from the markdown filename:
A crafted filename like
../../etc/evil.mdproduces slug../../etc/evil. When passed to:This resolves to a path outside the output directory (e.g.
/tmp/etc/evil.html). The slug is also interpolated unsanitized into<a href="companies/${c.slug}.html">, allowing arbitrary href injection in the generated HTML.Fix: Strip
..,/, and\from the slug after the.mdremoval.2. Command injection via
--openThe
dirargument comes fromprocess.argv[2]. If it contains$(cmd)or`cmd`, bash executes the command inside the double-quoted template literal.Fix: Use
execFileSync('open', [path])which passes arguments directly to the executable without shell interpolation — the same pattern used byevaluate.mjsforbrowsecommands.9 lines changed across 2 files.
Note
Medium Risk
Touches security-sensitive file-path and process-invocation code paths; while the changes are small, they affect how output filenames/links are generated and how the report is launched.
Overview
Closes two injection vectors in the
compile_report.mjsscripts for company-research and event-prospecting.Company page
slugvalues derived from.mdfilenames are now sanitized to strip..and path separators, preventing path traversal (and related link/attribute injection) when generating per-company HTML files.The
--openoption now usesexecFileSync('open', [path])instead of shelling out viaexecSync, avoiding shell interpolation/command injection via a crafted output directory.Reviewed by Cursor Bugbot for commit d396a82. Bugbot is set up for automated code reviews on this repo. Configure here.