process: command injection via argument list on Windows The process library on Windows is vulnerable to a command injection vulnerability, via cmd.exe's interpretation of arguments. Programs that invoke batch files (.bat, .cmd) and pass arguments whose values are affected by program inputs may be affected. This issue was discovered in many programming languages' Windows process execution behaviour. It was tracked by CERT/CC as VU#123335 and a coordinated disclosure was made on 2024-04-09 17:00 UTC. A fix was released in process-1.6.19.0. Background Unlike POSIX systems, Windows does not have a mechanism for passing multiple arguments.Command line parsing is up to individual programs. The process library defines the RawCommand constructor for specifying an executable and its arguments: haskell data CmdSpec = ShellCommand String | RawCommand FilePath [String] On Windows, the RawCommand executable name and arguments are serialised into a single command line string, with separate arguments quoted separately. process then invokes the Windows CreateProcess routine with this command line string is given as the lpCommandLine argument. Issue When executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe. The System.Process command line construction does not escape characters with special meaning to cmd.exe. As a consequence, a command injection vulnerability arises when the following conditions are satisfied: Program running on Windows Program executes a .bat or…Read More