Dismissed
by @LeSuisse Activity log
- Created automatic suggestion
-
@LeSuisse
removed
12 packages
- speech-denoiser
- openimagedenoise
- terraform-providers.deno
- python312Packages.denonavr
- python313Packages.denonavr
- haskellPackages.pandoc-sidenote
- terraform-providers.denoland_deno
- gnomeExtensions.denon-avr-controler
- python312Packages.bnunicodenormalizer
- python313Packages.bnunicodenormalizer
- vscode-extensions.denoland.vscode-deno
- home-assistant-component-tests.denonavr
- @LeSuisse dismissed
Deno has an incomplete fix for command-injection prevention on Windows — case-insensitive extension bypass
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and therefore can be bypassed when the extension uses alternate casing (for example .BAT, .Bat, etc.). This vulnerability is fixed in 2.5.6.
Affected products
deno
- ==< 2.5.6
Package maintainers
-
@06kellyjac Jack <hello+nixpkgs@j-k.io>
-
@ofalvai Olivér Falvai <ofalvai@gmail.com>