This repository has been archived by the owner on Dec 19, 2023. It is now read-only.
Security fix for Command Injection in changelogx #1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📊 Metadata *
The git_helper.getCommits() function in changelogx package that expects to execute git log command can be illegally injected arbitrary other OS commands by its $range arguments.
Bounty URL: https://www.huntr.dev/bounties/1-npm-changelogx/
⚙️ Description *
Using execFile() to replace exec().
💻 Technical Description *
The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. This PR replaces it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.
🐛 Proof of Concept (PoC) *
// PoC.sh
npm i changelogx -g
git clone https://github.com/royriojas/changelogx.git
cd changelogx
ls
#you cannot see pzhou@shu
changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html
ls
#you can see pzhou@shu
🔥 Proof of Fix (PoF) *
After fix, running
changelogx -r '1.0..;$(touch pzhou@shu)' -o changelog.html
cannot illegally create the file pzhou@shu.👍 User Acceptance Testing (UAT)
changelogx -h
Usage: changelogx [install-hook] [options]
Options:
-f, --format String Use a specific output format, markdown or html. - either: html or markdown - default: html
-p, --tagPrefix String The tag prefix to filter the tags obtained from git.
-r, --tagRange String Filter the commits to only the ones between the given tag range
-o, --outputFile path::String Specify file to write the changelog to. If omitted the output will be printed to the stdout. IF this option is set no other logs will print to stdout (-q is implicit here)
-m, --maxSubjectLength Number If the command install-hook is used, this option allows to specify the maximum length for the commit subject - default: 140
-i, --ignoreRegExp [String] A regular expression to match for commits that should be ignored from the changelog
-h, --help Show this help
-v, --version Outputs the version number
-q, --quiet Show only the summary info - default: false
--colored-output Use colored output in logs
--stack if true, uncaught errors will show the stack trace if available
-c, --config String Path to your
changelogx
config. By Default will look for achangelogx
section on yourpackage.json
When no configuration is provided, some defaults based on your
package.json
file will be used. For Example:"changelogx": {
"ignoreRegExp": ["BLD: Release", "DOC: Generate Changelog", "Generated Changelog"],
"issueIDRegExp" : "#(\d+)",
"commitURL": "https://github.com/$user$/changelogx/commit/{0}",
"authorURL": "https://github.com/{0}",
"issueIDURL": "https://github.com/$user$/changelogx/issues/{0}",
"projectName": "changelogx"
}
🔗 Relates to...
https://www.huntr.dev/bounties/1-npm-changelogx/