Potential command injection vulnerability in node-pager

[xiaofen9]

Hi,

We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method fails to sanitize its second parameter named and let it flow into a sensitive command execution API.

Here is the proof of concept.

const pager= require('node-pager');
pager('string', ' |touch rce&') // a file named rce will be created

Please consider fixing it. thanks!

[slammayjammay]

Hello and sorry for the delay. Snyk contacted me and here was my reply:

I'm not convinced that this is a security issue with the node-pager package. It's true that command injection can be done in this way, however the node-pager package only expects the first argument to be user input which does need to be sanitized. The second argument should only be provided by the code author making use of node-pager. My reasoning is that providing malicious input like in your example is similar to providing malicious input to a system command call via for example Node's exec function -- the security vulnerability lies with the code author making use of the library, not the library itself.

I'm going to update the docs to be clear about this.