Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Fix Command Injection #3

Open
wants to merge 2 commits into
base: v3
Choose a base branch
from
Open

Fix Command Injection #3

wants to merge 2 commits into from

Conversation

@EffectRenan
Copy link

@EffectRenan EffectRenan commented Apr 27, 2021

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/2-other-pirelenito/git-revision-webpack-plugin

⚙️ Description *

The git-revision-webpack-plugin package is vulnerable to Command Injection via commands concatenation.

💻 Technical Description *

The file run-git-command.js does not sanitize the data provided by the user. So, any function in which uses this will be vulnerable.

🐛 Proof of Concept (PoC) *

Exploring through commithash function.

// poc.js

const GitRevisionPlugin = require('git-revision-webpack-plugin');

const payload = "$(touch poc.txt)"

const test = new GitRevisionPlugin({gitWorkTree: payload});

try {
  test.commithash();
} catch {}

The execution of the command above implies the creation of poc.txt file.

🔥 Proof of Fix (PoF) *

The fix uses the execFile of child_process module to specify one single executable to be allowed, solving the problem with commands concatenation.

As the entire command is put into a single string, it should be separated to execFile works correctly:
execFile(executable, [arguments])

Instead of applying the split function based on whitespace to get arguments of git commands, the fix uses a regex to solve the problems with commands in which have whitespaces between quotation marks, like git "a b c".

Thus, the execution of the PoC does not create the poc.txt file.

👍 User Acceptance Testing (UAT)

const GitRevisionPlugin = require('git-revision-webpack-plugin');

const payload = "test" // test represents a git repository

const test = new GitRevisionPlugin({gitWorkTree: payload});

console.log(test.commithash());

@huntr-helper
Copy link

huntr-helper commented Apr 27, 2021

👋 Hello, @pirelenito. @EffectRenan has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@pirelenito - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@EffectRenan @huntr-helper