![[shescape] Shescape has possible misidentification of shell due to link chains](/assets/images/github_com_1773014663624.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 1
[shescape] Shescape has possible misidentification of shell due to link chains
By GitHub2026๋
3์ 7์ผ
**[shescape] Shescape has possible misidentification of shell due to link chains**
Impact This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2): import fs from "node:fs"; import { exec } from "node:child_process"; import { Shescape } from "shescape"; import which from "which"; /* 1. Set up */ const shell = which.sync("bash"); const linkToShell = "./csh"; const linkToLink = "./link"; fs.rmSync(linkToLink, { force: true }); fs.rmSync(linkToShell, { force: true }); fs.symlinkSync(shell, linkToShell); fs.symlinkSync(linkToShell, linkToLink); /* 2...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Impact This impacts users of Shescape that configure their shell to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape. In particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2): import fs from "node:fs"; import { exec } from "node:child_process"; import { Shescape } from "shescape"; import which from "which"; /* 1. Set up */ const shell = which.sync("bash"); const linkToShell = "./csh"; const linkToLink = "./link"; fs.rmSync(linkToLink, { force: true }); fs.rmSync(linkToShell, { force: true }); fs.symlinkSync(shell, linkToShell); fs.symlinkSync(linkToShell, linkToLink); /* 2...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.