Storybook: ShellJS Security Warning

Created on 6 Nov 2017  路  5Comments  路  Source: storybookjs/storybook

There's a SEVERE security warning for one of the dependencies we're using.
https://www.bithound.io/github/storybooks/storybook/master/dependencies/npm/shelljs#security-advisories

Is it something we're concerned about? Should we move off of it? Help patch it?

dependencies discussion
Source
picture danielduan

Most helpful comment

Yeah, personally I feel this security warning is a bit nonsense:
The package is specifically for being able to run shell commands cross platform.
So for this package to have "command injection" is a feature, not a bug.

But having said that, shelljs could make their package more secure by default and opt in to shell-mode. More information here:
https://github.com/shelljs/shelljs/issues/143

I'm pretty sure we're not using shelljs.exec and interpolate data from outside our domain into the command, anyway. Thus there's no possibility for command injection in our case.

I am annoyed by the warning, I do not want people to think Storybook is insecure because of this, because this is first and foremost a devDependency, and second (as i already mentioned) the way we use it doesn't allow command injection to happen.

ShellJS is just as insecure as child_process, which is a core NodeJS package..
I think the SEVERE security warning is a "storm in een glas water" as we dutch like to say.

picture ndelangen on 7 Nov 2017
👍3

All 5 comments

@ndelangen You had some considerations AFAIK

Hypnosphi picture Hypnosphi on 6 Nov 2017

Yeah, personally I feel this security warning is a bit nonsense:
The package is specifically for being able to run shell commands cross platform.
So for this package to have "command injection" is a feature, not a bug.

But having said that, shelljs could make their package more secure by default and opt in to shell-mode. More information here:
https://github.com/shelljs/shelljs/issues/143

I'm pretty sure we're not using shelljs.exec and interpolate data from outside our domain into the command, anyway. Thus there's no possibility for command injection in our case.

I am annoyed by the warning, I do not want people to think Storybook is insecure because of this, because this is first and foremost a devDependency, and second (as i already mentioned) the way we use it doesn't allow command injection to happen.

ShellJS is just as insecure as child_process, which is a core NodeJS package..
I think the SEVERE security warning is a "storm in een glas water" as we dutch like to say.

ndelangen picture ndelangen on 7 Nov 2017
👍3

gonna close this then.

danielduan picture danielduan on 7 Nov 2017
👎1

because this is first and foremost a devDependency

not anymore
https://github.com/storybookjs/storybook/blob/next/lib/core/package.json#L82

Hypnosphi picture Hypnosphi on 5 Jul 2019

Hmm..

Still no vulnerability:
We only use the .mkdir & .cp commands in user executed code:
https://github.com/storybookjs/storybook/blob/9835ab9d7982b3125a96582577b5b96dd2fee0d5/lib/core/src/server/build-static.js#L170

We do not use .exec in this context.

ndelangen picture ndelangen on 5 Jul 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alexanbj picture alexanbj  路  3Comments
purplecones picture purplecones  路  3Comments
shilman picture shilman  路  3Comments
wahengchang picture wahengchang  路  3Comments
xogeny picture xogeny  路  3Comments