Package name: systeminformation.
Tested package versions: 4.31.0.
Fixed package versions: >= 4.31.1.
Description: The attacker can send an OS command into quotation marks and it going to be executed.
Sensitive file: lib/internet.js.
The sanitizeShellString function does not sanitize quotation marks:
s[i] === '>' ||
s[i] === '<' ||
s[i] === '*' ||
s[i] === '?' ||
s[i] === '[' ||
s[i] === ']' ||
s[i] === '|' ||
s[i] === '˚' ||
s[i] === '$' ||
s[i] === ';' ||
s[i] === '&' ||
s[i] === '(' ||
s[i] === ')' ||
s[i] === ']' ||
s[i] === '#' ||
s[i] === '\\' ||
s[i] === '\t' ||
s[i] === '\n' ||
s[i] === '"'
const si = require('systeminformation');
si.inetLatency("`<OS command>`");