[BUG] npx@7 regression: command injection / impossible to pass a bactick as argument

[lydell]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Let’s say you have a create-blog-post CLI installed globally. You run it like so:

create-blog-post --title 'Cool `ls` tricks'

One day you install create-blog-post locally instead. Then how do you run it? Well, you could just slap npx at the start, right? Wrong! The following does not do what you expect:

npx create-blog-post --title 'Cool `ls` tricks'

Let me show why. I’m using node -p 'process.argv[2]' -- instead of create-blog-post to show that the implementation of that tool wouldn’t matter:

❯ node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool `ls` tricks

With npx in front:

❯ npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool LICENSE
README.md
lib
map.js
node_modules
package-lock.json
package.json
test tricks

Oops! The argument was treated as shell script, executed ls and put the result in my string (backticks means command interpolation)!

Expected Behavior

npx@6 got it right:

❯ npx --version
6.14.12

❯ npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool `ls` tricks

The worst thing is that I don’t even know how to workaround this issue in npx@7. Trying to add backslashes does not help. I just can’t figure out a way to pass literal backticks as an argument.

Steps To Reproduce

1. macOS or Linux (Windows have different issues)
2. With this config...
3. Run npx node -p 'process.argv[1]' '`' (tested in sh, bash, zsh, fish)
4. See error: sh: -c: line 0: unexpected EOF while looking for matching ``'

Environment

• OS: macOS Big Sur (also happens on any Linux)
• Node: 16.1.0
• npm: 7.11.2

Fix

npm/run-script#31

I’m posting an issue here as well so the PR has something to close 😄 And also to help people who have encountered the same problem can more easily find this.

[balazs4]

another usecase, same problem

antonmedv/fx#176

I'm looking forward to npm/exec#2

[ruyadorno]

cc @nlf who has been following up with npm/run-script#31

[nlf]

I'm unable to reproduce this in npm@8.9.0. I'm going to close this issue, but please do open a new one if you see this happen again.

[lydell]

@nlf Can you reopen this one, please? This is still an issue in 8.9.0.

❯ docker run --rm -it node:18 bash
Unable to find image 'node:18' locally
18: Pulling from library/node
6aefca2dc61d: Already exists
967757d56527: Already exists
c357e2c68cb3: Already exists
c766e27afb21: Already exists
32a180f5cf85: Already exists
3507b5066a40: Already exists
3c68557c340d: Pull complete
925b4ef5803f: Pull complete
3c263125b4e4: Pull complete
Digest: sha256:71c779ea8a157e6efadcafdae79f00fb39b7f3fdb2819ebef3984315c281540f
Status: Downloaded newer image for node:18
root@c99362005ff4:/# npm -v
8.8.0
root@c99362005ff4:/# npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var tricks
root@c99362005ff4:/# npm i -g npm

changed 15 packages, and audited 202 packages in 7s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
root@c99362005ff4:/# npm -v
8.9.0
root@c99362005ff4:/# npx node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var tricks
root@c99362005ff4:/# node -p 'process.argv[2]' -- --title 'Cool `ls` tricks'
Cool `ls` tricks

And when you do fix it, please link the commit that fixes it. Bonus points for a regression test!

Edit: Opened a new issue.