Research
Recent Trends in Malicious Packages Targeting Discord
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
shelljs-exec-proxy
Advanced tools
Readme
Unleash the power of unlimited ShellJS commands... with ES6 Proxies!
Do you like ShellJS, but wish it had your
favorite commands? Skip the weird exec()
calls by using shelljs-exec-proxy
:
// Our goal: make a commit: `$ git commit -am "I'm updating the \"foo\" module to be more secure"`
// Standard ShellJS requires the exec function, with confusing string escaping:
shell.exec('git commit -am "I\'m updating the \\"foo\\" module to be more secure"');
// Skip the extra string escaping with shelljs-exec-proxy!
shell.git.commit('-am', `I'm updating the "foo" module to be more secure`);
Important: This is only available for Node v6+ (it requires ES6 Proxies!)
$ npm install --save shelljs-exec-proxy
const shell = require('shelljs-exec-proxy');
shell.git.status();
shell.git.add('.');
shell.git.commit('-am', 'Fixed issue #1');
shell.git.push('origin', 'master');
Current versions of ShellJS export the .exec()
method, which if not used
carefully, could introduce command injection Vulnerabilities to your module.
Here's an insecure code snippet:
shell.ls('dir/*.txt').forEach(file => {
shell.exec('git add ' + file);
}
This leaves you vulnerable to files like:
Example file name | Unintended behavior |
---|---|
File 1.txt | This tries to add both File and 1.txt , instead of File 1.txt |
foo;rm -rf * | This executes both git add foo and rm -rf * , unexpectedly deleting your files! |
ThisHas"quotes'.txt | This tries running git add ThisHas"quotes'.txt , producing a Bash syntax error |
shelljs-exec-proxy
solves all these problems:
shell.ls('dir/*.txt').forEach(file => {
shell.git.add(file);
}
Example file name | Behavior |
---|---|
File 1.txt | Arguments are automatically quoted, so spaces aren't an issue |
foo;rm -rf * | Only one command runs at a time (semicolons are treated literally) and wildcards aren't expanded |
ThisHas"quotes'.txt | Quote characters are automatically escaped for you, so there are never any issues |
FAQs
Unlimited shelljs commands with ES6 proxies
We found that shelljs-exec-proxy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
The Socket research team breaks down a sampling of malicious packages that download and execute files, among other suspicious behaviors, targeting the popular Discord platform.
Security News
Socket CEO Feross Aboukhadijeh joins a16z partners to discuss how modern, sophisticated supply chain attacks require AI-driven defenses and explore the challenges and solutions in leveraging AI for threat detection early in the development life cycle.
Security News
NIST's new AI Risk Management Framework aims to enhance the security and reliability of generative AI systems and address the unique challenges of malicious AI exploits.