Shell Injection during Production
Shell injection occurs when an attacker-controlled string changes the structure of a command passed to a shell or causes a child process to execute an unintended command or with unintended arguments. Typically, this is because code or a dependency invokes child_process with an argument partially composed from untrusted inputs.
Shell injection may also occur during development and deployment. For
example, npm and Bower
{pre-,,post-}install
hooks may be subject to shell injection via
filenames that contain shell meta-characters in malicious transitive
dependencies but we classify this as an MTP vulnerability.