From 58d84ca80e02245c680317adb9975f4ba0a5b975 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Kj=C3=A4ll?= Date: Sun, 21 Dec 2025 17:55:27 +0100 Subject: [PATCH] starship: Add information about CVE-2024-41815 --- crates/starship/RUSTSEC-0000-0000.md | 102 +++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 crates/starship/RUSTSEC-0000-0000.md diff --git a/crates/starship/RUSTSEC-0000-0000.md b/crates/starship/RUSTSEC-0000-0000.md new file mode 100644 index 00000000..bf345d12 --- /dev/null +++ b/crates/starship/RUSTSEC-0000-0000.md @@ -0,0 +1,102 @@ +```toml +[advisory] +id = "RUSTSEC-0000-0000" +package = "starship" +date = "2024-07-26" +url = "https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5" +categories = ["code-execution"] +cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" +aliases = ["CVE-2024-41815","GHSA-vx24-x4mv-vwr5"] +license = "CC-BY-4.0" + +[versions] +patched = [">= 1.20.0"] +unaffected = ["<= 1.0.0"] +``` + +# Shell expansion in custom commands + +## Summary + +Undocumented and unpredictable shell expansion and/or quoting +rules make it easily to accidentally cause shell injection +when using custom commands with starship in bash. + +## Details + +I wanted to show the git commit name in my prompt (I use bash), so I added a command: + +``` +[custom.git_commit_name] +command = 'git show -s --format="%<(25,mtrunc)%s"' +style = "italic" +when = true +``` + +To my surprise, when I had a commit with backticks in it, +the backticks were expanded. e.g.: + +``` +touch foo +git add foo +git commit -m '`ls`' +``` + +Thankfully I noticed it on my own commit before checking out +someone's code whose commit message was + +`rm -rf /important/stuff` + +The documentation says: + +Command output is printed unescaped to the prompt + +``` + Whatever output the command generates is printed unmodified in the prompt. + This means if the output contains special sequences that are interpreted + by your shell they will be expanded when displayed. These special + sequences are shell specific, e.g. you can write a command module that + writes bash sequences, e.g. \h, but this module will not work in a fish + or zsh shell. + + Format strings can also contain shell specific prompt sequences, e.g. Bash, Zsh. +``` + +However, it doesn't specifically mention shell injection with $() +and backticks; it just mentions the prompt escape sequences, and +the link doesn't suggest any shell injection possibilities either. + +Furthermore, I can't even figure out how to properly escape things, +because simply changing the command to + +``` +command = 'printf %q "$(git show -s --format="%<(25,mtrunc)%s")"' +``` + +doesn't work, as it's also adding a backslash before spaces. I also +tried `use_stdin=false` + +I'm not 100% sure this qualifies as a vulnerability, but I feel it is not +documented well enough to warn unsuspecting users, and it certainly is +not documented how to properly quote things, because after 15-30 minutes +of trying, I can't figure it out. + +I see some past commits about fixing shell injection with $, and it does +seem like the problem doesn't exist in build-in modules like git branch. + +## PoC + +Have some custom command which prints out information from a potentially untrusted/unverified source. + +``` +[custom.git_commit_name] +command = 'git show -s --format="%<(25,mtrunc)%s"' +style = "italic" +when = true +``` + +## Impact + +People with custom commands, so the scope is limited, and without knowledge +of people's commands, it could be hard to target people. The only one I saw +in the example custom commands that may be vulnerable is the playerctl one.