Fix command injection vulnerability

[69]

⚙️ Description

I've remedied the command injection vulnerability by using a more secure method to run the scp command.

💻 Technical Description

I've replaced the usage of exec in this module with execFile, which automatically escapes the command variables being passed to scp.

🐛 Proof of Concept (PoC)

When running the following snippet in the node-scp directory, a file named HACKED should show up in your current working directory, proving the command injection vulnerability:

const client = require("./scp");
client.get({ port: "; touch HACKED ;" })

🔥 Proof of Fix (PoF)

When the above snippet is ran on my fork of the module, the execution fails with the error "Bad port '; touch HACKED ;'", which indicates the port variable has been escaped.

👍 User Acceptance Testing (UAT)

I've fixed the get test to request the correct file, as it requested a different file when being ran. Running the included tests after setting up a SSH location named core proves that the module is working perfectly fine:

$ node test/send.js
[Arguments] { '0': null, '1': '', '2': '' }

$ node test/get.js
[Arguments] { '0': null, '1': '', '2': '' }

The file what showed up on my remote system and after deleting it locally and running test/get, it was properly re-downloaded.

[adam-nygate]

LGTM 👍

[huntr-helper]

Congratulations @69 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!