• BatmanAoD@programming.dev
    link
    fedilink
    arrow-up
    11
    ·
    9 months ago

    How so? This exploit requires running a shell command in a way that permits an attacker to control the arguments provided. That doesn’t seem like it would be particularly common in build scripts.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      9 months ago

      I’m thinking an xz-style attack where a malicious actor submits an “improvement” with an innocuous-looking change to the build script that ends up running arbitrary commands. Running a batch script seems like a reasonable thing for a build script to do (e.g. to run something like i18n or whatever), and a lot of project devs may not know much about how batch scripts work (many devs are more familiar with Linux-compatible shell scripts), so it could slip through. The batch script itself could be innocuous and thus not be caught by a reviewer.