starship: Add information about CVE-2024-41815

crates/starship/RUSTSEC-0000-0000.md

@@ -0,0 +1,102 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "starship"
+date = "2024-07-26"
+url = "https://github.com/starship/starship/security/advisories/GHSA-vx24-x4mv-vwr5"
+categories = ["code-execution"]
+cvss = "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+aliases = ["CVE-2024-41815","GHSA-vx24-x4mv-vwr5"]
+license = "CC-BY-4.0"
+
+[versions]
+patched = [">= 1.20.0"]
+unaffected = ["<= 1.0.0"]
+```
+
+# Shell expansion in custom commands
+
+## Summary
+
+Undocumented and unpredictable shell expansion and/or quoting
+rules make it easily to accidentally cause shell injection
+when using custom commands with starship in bash.
+
+## Details
+
+I wanted to show the git commit name in my prompt (I use bash), so I added a command:
+
+```
+[custom.git_commit_name]
+command = 'git show -s --format="%<(25,mtrunc)%s"'
+style = "italic"
+when = true
+```
+
+To my surprise, when I had a commit with backticks in it,
+the backticks were expanded. e.g.:
+
+```
+touch foo
+git add foo
+git commit -m '`ls`'
+```
+
+Thankfully I noticed it on my own commit before checking out
+someone's code whose commit message was
+
+`rm -rf /important/stuff`
+
+The documentation says:
+
+Command output is printed unescaped to the prompt
+
+```
+    Whatever output the command generates is printed unmodified in the prompt.
+    This means if the output contains special sequences that are interpreted
+    by your shell they will be expanded when displayed. These special
+    sequences are shell specific, e.g. you can write a command module that
+    writes bash sequences, e.g. \h, but this module will not work in a fish
+    or zsh shell.
+
+    Format strings can also contain shell specific prompt sequences, e.g. Bash, Zsh.
+```
+
+However, it doesn't specifically mention shell injection with $()
+and backticks; it just mentions the prompt escape sequences, and
+the link doesn't suggest any shell injection possibilities either.
+
+Furthermore, I can't even figure out how to properly escape things,
+because simply changing the command to
+
+```
+command = 'printf %q "$(git show -s --format="%<(25,mtrunc)%s")"'
+```
+
+doesn't work, as it's also adding a backslash before spaces. I also
+tried `use_stdin=false`
+
+I'm not 100% sure this qualifies as a vulnerability, but I feel it is not
+documented well enough to warn unsuspecting users, and it certainly is
+not documented how to properly quote things, because after 15-30 minutes
+of trying, I can't figure it out.
+
+I see some past commits about fixing shell injection with $, and it does
+seem like the problem doesn't exist in build-in modules like git branch.
+
+## PoC
+
+Have some custom command which prints out information from a potentially untrusted/unverified source.
+
+```
+[custom.git_commit_name]
+command = 'git show -s --format="%<(25,mtrunc)%s"'
+style = "italic"
+when = true
+```
+
+## Impact
+
+People with custom commands, so the scope is limited, and without knowledge
+of people's commands, it could be hard to target people. The only one I saw
+in the example custom commands that may be vulnerable is the playerctl one.