meta-git - Remote Code Execution - Fix: #56
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Merging fix - on-behalf of @toufik-airane, executed by huntr.dev (013-js-meta-git).
Codecov Report
@@ Coverage Diff @@
## master #56 +/- ##
====================================
Coverage 50% 50%
====================================
Files 1 1
Lines 4 4
====================================
Hits 2 2
Misses 2 2Continue to review full report at Codecov.
|
|
@patrickleet - any thoughts/updates on this? |
|
Can you include an example? |
|
A test that shows it working would be even better |
|
think it looks ok - @mateodelnorte ? |
|
Dear @patrickleet, Thanks for your answer. Proof of VulnerabilityWe can observe the code execution.
Raw outputRemediationHere is more information about the issue: |
|
LGTM
…On Fri, Mar 13, 2020 at 9:06 AM Toufik Airane ***@***.***> wrote:
Dear @patrickleet <https://github.com/patrickleet>,
Thank you for your answer.
Here is the result of user acceptance testing.
# Without the fix
🔥 test meta-git clone 'test;uname -a'
meta git cloning into 'test;uname -a' at test;uname -a
test;uname -a:
fatal: repository 'test' does not exist
usage: uname [-amnprsv]
Darwin Macbook.local 19.3.0 Darwin Kernel Version 19.3.0: Thu Jan 9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64 x86_64
test;uname -a ✓
(node:14519) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, chdir '/Users/.../test' -> '/Users/.../test/test;uname -a'
at process.wrappedChdir [as chdir] (internal/bootstrap/switches/does_own_process_state.js:115:14)
at /usr/local/lib/node_modules/meta-git/bin/meta-git-clone:29:13
at /usr/local/lib/node_modules/meta-git/node_modules/meta-exec/index.js:104:22
at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:14519) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:14519) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
# with the fix
🔥 test meta-git clone 'test;uname -a'
meta git cloning into 'testuname -a' at testuname -a
testuname -a:
error: unknown switch `a'
usage: git clone [<options>] [--] <repo> [<dir>]
-v, --verbose be more verbose
-q, --quiet be more quiet
--progress force progress reporting
-n, --no-checkout don't create a checkout
--bare create a bare repository
--mirror create a mirror repository (implies bare)
-l, --local to clone from a local repository
--no-hardlinks don't use local hardlinks, always copy
-s, --shared setup as shared repository
--recursive[=<pathspec>]
initialize submodules in the clone
--recurse-submodules[=<pathspec>]
initialize submodules in the clone
-j, --jobs <n> number of submodules cloned in parallel
--template <template-directory>
directory from which templates will be used
--reference <repo> reference repository
--reference-if-able <repo>
reference repository
--dissociate use --reference only while cloning
-o, --origin <name> use <name> instead of 'origin' to track upstream
-b, --branch <branch>
checkout <branch> instead of the remote's HEAD
-u, --upload-pack <path>
path to git-upload-pack on the remote
--depth <depth> create a shallow clone of that depth
--shallow-since <time>
create a shallow clone since a specific time
--shallow-exclude <revision>
deepen history of shallow clone, excluding rev
--single-branch clone only one branch, HEAD or --branch
--no-tags don't clone any tags, and make later fetches not to follow them
--shallow-submodules any cloned submodules will be shallow
--separate-git-dir <gitdir>
separate git dir from working tree
-c, --config <key=value>
set config inside the new repository
--server-option <server-specific>
option to transmit
-4, --ipv4 use IPv4 addresses only
-6, --ipv6 use IPv6 addresses only
--filter <args> object filtering
--remote-submodules any cloned submodules will use their remote-tracking branch
testuname -a: command 'git clone testuname -a testuname -a' exited with error: Error: Command failed: git clone testuname -a testuname -a
(node:14754) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, chdir '/Users/.../test' -> '/Users/.../test/testuname -a'
at process.wrappedChdir [as chdir] (internal/bootstrap/switches/does_own_process_state.js:115:14)
at /usr/local/lib/node_modules/meta-git/bin/meta-git-clone:31:13
at /usr/local/lib/node_modules/meta-git/node_modules/meta-exec/index.js:104:22
at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:14754) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:14754) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#56 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEHOX6OXKMYEAIJMJZ7GL3RHI4WFANCNFSM4KPZIZKA>
.
|
patrickleet
approved these changes
Mar 13, 2020
|
🎉 This PR is included in version 1.1.4 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
https://github.com/toufik-airane fixed the vulnerability associated with Remote Code Execution.
This fix is being submitted on behalf of https://github.com/toufik-airane - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.
Think you could fix a vulnerability like this - get involved (https://huntr.dev).
Q | A
Version Affected | ALL
Bug Fix | YES
Further References | 418sec#1
Bounty URL: https://huntr.dev/bounties/1-npm-meta-git