Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Remote Code Execution - huntr.dev #8

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Security Fix for Remote Code Execution - huntr.dev #8

wants to merge 2 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/alromh87 has fixed the Remote Code Execution vulnerability 馃敤. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 馃挼. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/git-static/1/README.md

User Comments:

馃搳 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-git-static

鈿欙笍 Description *

git-static was vulnerable against arbitrary command injection because some user supplied inputs were taken and formatted inside the exec() function without prior validation.
After update Arbitary Code Execution is avoided by using execFile instead of exec

馃捇 Technical Description *

Arbitary Code Execution is avoided by using execFile() instead of exec() and passing arguments via parameters instead of composing strings, piping to grep was replaced with regexp

馃悰 Proof of Concept (PoC) *

Install the package and run the below code:

const gitstatic = require("./");

gitstatic.getSha('./', " '; whoami>HACKED #", (e, resp) =>{
  if(e)console.log(e)
  else console.log(resp)
});

It will create a file named HACKED in the working directory.

git-staticPOC

馃敟 Proof of Fix (PoF) *

After fix no file is created

git-staticPOF

馃憤 User Acceptance Testing (UAT)

Commands can be executed normally

git-staticOK

Correct functionality after fix can be tested with this script:

const gitstatic = require("./");

const handleResp = (e, resp) =>{
  if(e)console.log(e)
  else console.log(resp)
};

gitstatic.getBranches('./', handleResp);
gitstatic.getSha('./', 'master', handleResp);
gitstatic.getBranchCommits('./', handleResp);
gitstatic.getCommit('./', '', handleResp);
gitstatic.getCommit('./', 'ccde678213daa6913d63b30e0f30113e0a6b0c7c', handleResp);
gitstatic.getRelatedCommits('./', 'master', 'd6c64168559aacd41f8593e53b1e17159560228b', handleResp);
gitstatic.getRelatedCommits('./', 'master', 'ccde678213daa6913d63b30e0f30113e0a6b0c7c', handleResp);
gitstatic.getRelatedCommits('./', 'master', '7101f0f77c9a174c2b0b0916d15dce273a2cab3f', handleResp);
gitstatic.listCommits('./', 'ccde678213daa6913d63b30e0f30113e0a6b0c7c', 'd6c64168559aacd41f8593e53b1e17159560228b', handleResp);
gitstatic.listAllCommits('./', handleResp);
gitstatic.listTree('./', 'ccde678213daa6913d63b30e0f30113e0a6b0c7c', handleResp);

gitStaticOK2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@huntr-helper @alromh87 @JamieSlome