Skip to content

Potential command injection vulnerability in git-commit-info #24

Closed
@xiaofen9

Description

@xiaofen9

Hi,

We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious command once he controls the hash content.

Here is the proof of concept.

const gitCommitInfo = require('git-commit-info')
// information of the latest commit in ./my_repo
gitCommitInfo({
  cwd: './my_repo',
  commit: '82442c2405804d7aa44e7bedbc0b93bb17707626' + " || touch ci ||", // a malicious file named ci will be crated
});

Please consider fixing it. thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions