This package contains a serious security hole.

[skx]

Consider the following code:

var dnsSync = require('dns-sync');
console.log(dnsSync.resolve('$(id > /tmp/foo)'));

The library is loaded. The function resolve is called, which contains this code:

  // ..
  cmd = util.format('"%s" "%s" %s', nodeBinary, scriptPath, hostname);
  // ...
  response = shell.exec(cmd, {silent: true});

So the end result is a call to a command like:

       "/opt/node/bin/node" "/path/to/dns-lookup-script" "$(id > /tmp/foo)'"

The shell expands that, by executing "/usr/bin/id > /tmp/foo" - et voila arbitrary command execution, triggered by a DNS lookup.

[skoranga]

@skx
Added the validation check and tests with commit - d9abaae.

Also published dns-sync@0.1.1.

Please verify if you still see some issue.

[skx]

I suspect the regular expression is more complex than it needs to be, but otherwise I don't see anything to complain about.

Thanks for your prompt attention.

[fgeek]

Good job @skx :)

[skx]

@fgeek Thanks.

I'm still trying to solve a general problem with async DNS replies - blogspam.js #25 - and thought this library might be useful. Unfortunately the overhead of running a command for each lookup is too high so I had to rule it out.

[skoranga]

@skx, agreed this is bit slow since it's spawning a process to make DNS sync. Right now my use case is to resolve the DNS only on server startup, so it fits well. Let me know if you find a better solution. I am welcome to ideas.