Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Summary

Decrypt ejson2env allows users to decrypt EJSON secrets and export them as environment variables. The `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to a Command Injection vulnerability, allowing an attacker to execute arbitrary commands on the host system. This vulnerability affects github.com/Shopify/ejson2env package versions through 2.0.7. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding the use of `ejson2env` to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from `ejson2env` without removing nonprintable characters.