Security fix for Command Injection in changelogx

[zpbrent]

📊 Metadata *

The git_helper.getCommits() function in changelogx package that expects to execute git log command can be illegally injected arbitrary other OS commands by its $range arguments.

Bounty URL: https://www.huntr.dev/bounties/1-npm-changelogx/

⚙️ Description *

Using execFile() to replace exec().

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. This PR replaces it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

// PoC.sh
npm i changelogx -g

git clone https://github.com/royriojas/changelogx.git
cd changelogx

ls
#you cannot see pzhou@shu
changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html
ls
#you can see pzhou@shu

🔥 Proof of Fix (PoF) *

After fix, running changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html cannot illegally create the file pzhou@shu.

👍 User Acceptance Testing (UAT)

changelogx -h
Usage: changelogx [install-hook] [options]

Options:
-f, --format String Use a specific output format, markdown or html. - either: html or markdown - default: html
-p, --tagPrefix String The tag prefix to filter the tags obtained from git.
-r, --tagRange String Filter the commits to only the ones between the given tag range
-o, --outputFile path::String Specify file to write the changelog to. If omitted the output will be printed to the stdout. IF this option is set no other logs will print to stdout (-q is implicit here)
-m, --maxSubjectLength Number If the command install-hook is used, this option allows to specify the maximum length for the commit subject - default: 140
-i, --ignoreRegExp [String] A regular expression to match for commits that should be ignored from the changelog
-h, --help Show this help
-v, --version Outputs the version number
-q, --quiet Show only the summary info - default: false
--colored-output Use colored output in logs
--stack if true, uncaught errors will show the stack trace if available
-c, --config String Path to your changelogx config. By Default will look for a changelogx section on your package.json

When no configuration is provided, some defaults based on your package.json file will be used. For Example:

"changelogx": {
"ignoreRegExp": ["BLD: Release", "DOC: Generate Changelog", "Generated Changelog"],
"issueIDRegExp" : "#(\d+)",
"commitURL": "https://github.com/$user$/changelogx/commit/{0}",
"authorURL": "https://github.com/{0}",
"issueIDURL": "https://github.com/$user$/changelogx/issues/{0}",
"projectName": "changelogx"
}

🔗 Relates to...

https://www.huntr.dev/bounties/1-npm-changelogx/

[huntr-helper]

👋 Hello, @royriojas. @zpbrent has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

---

☎️ Need further support?

Come and join us on our community Discord!

---

❓@royriojas - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)