[Minor-Security] String formatting function is prone to misuse / abuse

[espoal]

Is there an existing issue for this?

• I have searched the existing issues

Current behavior

The string formatting function is prone to misuse / abuse, due to poor behaviour on special characters.

In a monorepo setup you could overwrite the main package.json by mistake.

With a little bit of creativity it's possible to use shell expansion to do a bit of damage to the filesystem by overwriting possibly important files.

Minimum reproduction code

https://github.com/espoal/kebab-or-snake

Steps to reproduce

Type

nest new -s

When prompted for a name give

$test

Expected behavior

The $ should be dropped from the name (or kept) and the app should be created in the test ($test) folder.

Package version

10.1.7

NestJS version

No response

Node.js version

18.16.1

In which operating systems have you tested?

• macOS
• Windows
• Linux

Other

Incidentally, this issue is fixed by these PRs:

• 1501
• 2208

[kamilmysliwiec]

Let's track this here then #2208