Description

Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash

Summary

Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.

Details

The unquoted Unix escape helpers never add [ or ] to their “special characters” regexes:

src/internal/unix/bash.js:14-30

src/internal/unix/busybox.js:14-30

src/internal/unix/dash.js:12-19

They escape */? but not brackets, so new Shescape({ shell: "/usr/bin/bash" }).escape("secret[12]") still produces secret[12]. The fixtures (test/fixtures/unix.js:2236-2265, 3496-3525, 5762-5792) are currently written to expect literal brackets for these shells, confirming the behavior. The documentation recommends Shescape#escape() as the fallback for exec when quoting isn’t possible (docs/recipes.md:154-183).

Proof of Concept

Use the published npm tarball without modifications:

tmp=$(mktemp -d)
cd "$tmp"
npm pack [email protected] >/dev/null
mkdir pkg
tar -xzf shescape-2.1.9.tgz -C pkg
cd pkg/package
npm install --omit=dev
...
Show more

Output:

/usr/bin/bash escaped=secret[12]
<secret1>
<secret2>
/usr/bin/dash escaped=secret[12]
<secret1>
<secret2>

Expected: the shell receives secret\[12\], so only one literal argument runs.

Impact

Argument injection: a single untrusted argument expands into multiple pathname matches from the trusted filesystem. This can change command behavior, target unintended files, or leak filenames. Any application calling Shescape#escape() with Bash/BusyBox/Dash shells and interpolating the result into a shell command string is affected.

Mitigation

Aliases

References