fix: Unsafe shell command constructed from library input #897
+4
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kenyon
added a commit
to kenyon/modulesync
that referenced
this pull request
Jul 23, 2025
Allowing 1.4 resolves a security issue in Thor: * https://github.com/voxpupuli/modulesync/security/dependabot/1 * rails/thor#897 We shouldn't need to support ancient Perforce facter anymore.
kenyon
added a commit
to kenyon/openfact
that referenced
this pull request
Jul 23, 2025
Thor 1.4.0 resolves a security issue: rails/thor#897 Related: voxpupuli/modulesync#309
crsantos
added a commit
to crsantos/danger-ruby-swiftlint
that referenced
this pull request
Jul 23, 2025
crsantos
added a commit
to crsantos/danger-ruby-swiftlint
that referenced
this pull request
Jul 23, 2025
Fixes ashfurrow#208 Reference: rails/thor#897
crsantos
added a commit
to crsantos/danger-ruby-swiftlint
that referenced
this pull request
Jul 23, 2025
Fixes ashfurrow#208 Reference: rails/thor#897
2 tasks
bmwiedemann
pushed a commit
to bmwiedemann/openSUSE
that referenced
this pull request
Jul 24, 2025
https://build.opensuse.org/request/show/1295381 by user dancermak + dimstar_suse - 1.4.0: ## What's Changed * Lazy-load YAML for performance improvement in rails/thor#892 * Fix encoding error when displaying diffs in rails/thor#898 * Fix unsafe shell command construction (security issue) in rails/thor#897 (bsc#1246809) * Support `git difftool`-style merge tool identifiers in rails/thor#900 * Add `gsub_file!` and make `gsub_file` fail if no substitutions occur in rails/thor#877 ## Security * CVE-2025-54314: Fixed a vulnerability where user input could result in unsafe shell command execution. (bsc#1246809) ## New Contributors * @hlascelles made their first contribution in rails/thor#893 **Full Changelog**: https://github.com/rail
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dynamically constructing a shell command with inputs from exported functions may inadvertently change the meaning of the shell command. Clients using the exported function may use inputs containing characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.
[email protected]