Arbitrary code execution fix: Replace exec with execFile

[d3v53c]

📊 Metadata *

Command Injection in xopen

Bounty URL: https://www.huntr.dev/bounties/1-npm-xopen/

⚙️ Description *

Used child_process.execFile() instead of child_process.exec().

💻 Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. This PR replaces it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

🐛 Proof of Concept (PoC) *

1. Create the following PoC file:

// poc.js
var xopen =require("xopen");
xopen("& touch HACKED");

2. Execute the following commands in terminal:

npm i xopen # Install affected module
node poc.js #  Run the PoC

3.Check the Output using ls command before and after the execution.

🔥 Proof of Fix (PoF) *

Before:

After:

👍 User Acceptance Testing (UAT)

After the fix, functionality is unaffected.

🔗 Relates to...

418sec/huntr#1838

[huntr-helper]

👋 Hello, @andrewimm - @d3v53c has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above.

Ultimately, you get to decide if the fix is 👍 or 👎. If you are happy with the fix, please write a new comment (@huntr-helper - LGTM) and we will open a PR to your repository with the fix. All remaining PRs for this vulnerability will be automatically closed.

If you have any questions or need support, come and join us on our community Discord!

@andrewimm & @d3v53c - thank you for your efforts in securing the world’s open source code! 🎉