Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

RUSTSEC-2024-0446

Shell expansion in custom commands
Back to all
CVE

RUSTSEC-2024-0446

Shell expansion in custom commands

Summary

Undocumented and unpredictable shell expansion and/or quoting

rules make it easily to accidentally cause shell injection

when using custom commands with starship in bash.

Details

I wanted to show the git commit name in my prompt (I use bash), so I added a command:

[custom.git_commit_name]
command = 'git show -s --format="%<(25,mtrunc)%s"'
style = "italic"
when = true

To my surprise, when I had a commit with backticks in it,

the backticks were expanded. e.g.:

touch foo
git add foo
git commit -m '`ls`'

Thankfully I noticed it on my own commit before checking out

someone's code whose commit message was

rm -rf /important/stuff

The documentation says:

Command output is printed unescaped to the prompt

    Whatever output the command generates is printed unmodified in the prompt.
    This means if the output contains special sequences that are interpreted
    by your shell they will be expanded when displayed. These special
    sequences are shell specific, e.g. you can write a command module that
    writes bash sequences, e.g. \h, but this module will not work in a fish
    or zsh shell.
    Format strings can also contain shell specific prompt sequences, e.g. Bash, Zsh.

However, it doesn't specifically mention shell injection with $()

and backticks; it just mentions the prompt escape sequences, and

the link doesn't suggest any shell injection possibilities either.

Furthermore, I can't even figure out how to properly escape things,

because simply changing the command to

command = 'printf %q "$(git show -s --format="%<(25,mtrunc)%s")"'

doesn't work, as it's also adding a backslash before spaces. I also

tried use_stdin=false

I'm not 100% sure this qualifies as a vulnerability, but I feel it is not

documented well enough to warn unsuspecting users, and it certainly is

not documented how to properly quote things, because after 15-30 minutes

of trying, I can't figure it out.

I see some past commits about fixing shell injection with $, and it does

seem like the problem doesn't exist in build-in modules like git branch.

PoC

Have some custom command which prints out information from a potentially untrusted/unverified source.

[custom.git_commit_name]
command = 'git show -s --format="%<(25,mtrunc)%s"'
style = "italic"
when = true

Impact

People with custom commands, so the scope is limited, and without knowledge

of people's commands, it could be hard to target people. The only one I saw

in the example custom commands that may be vulnerable is the playerctl one.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://crates.io/crates/starship, https://rustsec.org/advisories/RUSTSEC-2024-0446.html, https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5

Severity

7.4

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.4
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
1.0.1-0
Fix Available
1.20.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading