Impact of BatBadBut on node-pty

[ravicious]

https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

There's a new vulnerability called BatBadBut which exploits the fact that creating a process on Windows implicitly spawns cmd.exe when executing batch files.

The article gives this as an example of vulnerable code:

const { spawn } = require('child_process');
const child = spawn('./test.bat', ['"&calc.exe']);

However, I just tried doing something similar in a project I'm working on that uses node-pty and I wasn't able to spawn calc.exe. I was doing something more similar to spawn('./test', ['"&calc.exe']) where the .bat extension is not explicitly specified.

If there's no file called test in my path, then using node-pty's spawn with those arguments seems to just fail with "File not found". If I create an empty text file and in my path and rename it to test.bat, then the spawn call fails with "Unable to start terminal process: CreateProcess failed" and calc.exe does not get spawned.

However, those are just observations from my brief testing. I'd interested in the opinion of someone more familiar with node-pty. I tried looking into the source code, but I'm not really familiar with C++ unfortunately.

[Tyriar]

I'm not actually sure if node-pty will launch a bat file. Regardless though, this doesn't seem like a particularly bad issue as you should always be careful about executing anything the user gives you. Pretty sure the same can be applied to other shells like bash which are working as designed spawn('bash', ['-c', '$(evil)']

I'm curious to see what node.js did about it if you have that info.