Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix arbitray code execution #6

Merged
merged 1 commit into from Oct 7, 2020
Merged

Fix arbitray code execution #6

merged 1 commit into from Oct 7, 2020

Conversation

alromh87
Copy link
Contributor

@alromh87 alromh87 commented Oct 6, 2020

fs-path was vulnerable against arbitrary command injection cause some user supplied inputs were taken and composed into string to be executed without prior validation.
After update Arbitary Code Execution is avoided

Input is sanitized using shell-escape before execution

🐛 Proof of Concept (PoC) *

  1. Check there aren't files called HACKED
  2. Install package
  3. Create poc.js
const fspath = require('./lib/');
fspath.copy('./file2','./&whoami>HACKED #', function(err){
        if(err)console.log(err);
        else console.log('ok');
});
  1. Create input file
    touch file2
  2. Run poc
    node poc.js
  3. Recheck files : now HACKED has been created

🔥 Proof of Fix (PoF) *

After fix destination option is correctly treated as a string instead of being executed, file2 is copied to "./&whoami>HACKED #"

👍 User Acceptance Testing (UAT)

Commands can be executed normally

@pillys pillys merged commit ef32e31 into pillys:master Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants