[CVE-2021-28458] Security Fix for Command Injection - huntr.dev (#117)

2021-03-23 20:34:47 +00:00 · 2021-03-23 20:34:47 +00:00 · 1b8dcfb6d7
--- a/Changelog.md
+++ b/Changelog.md
@ -1,5 +1,8 @@
 # Changelog

+## 3.0.8 - 2021/03/23
+- Fix command injection in core function `execAz()` by replacing `exec()` with `execFile()` - CVE-2021-28458
+
 ## 3.0.7 - 2021/02/23
 - Updated doc comments on all exported members to follow TSDoc for better API reference documentation.

--- a/lib/login.ts
+++ b/lib/login.ts
@ -3,7 +3,7 @@

 import * as adal from "adal-node";
 import * as msRest from "@azure/ms-rest-js";
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { readFileSync } from "fs";
 import { Environment } from "@azure/ms-rest-azure-env";
 import { TokenCredentialsBase } from "./credentials/tokenCredentialsBase";
@ -951,7 +951,7 @@ export function loginWithAppServiceMSI(options?: MSIAppServiceOptions | Callback
 */
 export async function execAz(cmd: string): Promise<any> {
  return new Promise<any>((resolve, reject) => {
-    exec(`az ${cmd} --out json`, { encoding: "utf8" }, (error, stdout) => {
+    execFile(`az`, [cmd, `--out json`], { encoding: "utf8" }, (error, stdout) => {
      if (error) {
        return reject(error);
      }
--- a/package.json
+++ b/package.json
@ -5,7 +5,7 @@
    "email": "azsdkteam@microsoft.com",
    "url": "https://github.com/Azure/ms-rest-nodeauth"
  },
-  "version": "3.0.7",
+  "version": "3.0.8",
  "description": "Azure Authentication library in node.js with type definitions.",
  "keywords": [
    "node",