New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Snyk Vulnerability: Command Injection #447

Open
corpetty opened this Issue Jan 4, 2019 · 5 comments

Comments

2 participants
@corpetty
Copy link

corpetty commented Jan 4, 2019

Snyk found a vulnerability in this repo that allows for command injection, so it is high severity.

Unfortunately, there isn't an immediately PR-able fix for it via Snyk so more investigation on our end has to take place.

Here is some more info on the problem at hand.

@vkjr

This comment has been minimized.

Copy link
Member

vkjr commented Jan 4, 2019

Thanks for finding!

@corpetty

This comment has been minimized.

Copy link
Author

corpetty commented Jan 14, 2019

@vkjr vkjr added this to High in Status Desktop Jan 14, 2019

@vkjr

This comment has been minimized.

Copy link
Member

vkjr commented Jan 14, 2019

Shelljs currently used in devDependencies section package.json, so it shouldn't appear in production. But that should be double-checked.

@vkjr vkjr moved this from High to In Progress in Status Desktop Jan 16, 2019

@vkjr

This comment has been minimized.

Copy link
Member

vkjr commented Jan 16, 2019

@corpetty, @oskarth

Made some investigation:

shelljs used by react-native itself (under dev-dependencies in package.json) and by yeoman-generator (which is in dependencies section of package.json)
screen shot 2019-01-16 at 4 58 10 pm

Inside yeoman-generator vulnerable exec() method used in two places to get git info. (node_modules/yeoman-generator/lib/actions/user.js file), No user input processed.
screen shot 2019-01-16 at 4 57 12 pm
screen shot 2019-01-16 at 4 57 24 pm

In react-native shelljs library used inside helper scripts that aren't included in result application js code:
screen shot 2019-01-16 at 4 55 22 pm

Implementation of react-native core and components doesn't use shelljs, so I think no user input can be passed and executed via vulnerable exec() function.

For me that looks like we have no problems with this security warning.
Wdyt?

@corpetty

This comment has been minimized.

Copy link
Author

corpetty commented Jan 16, 2019

I'm going to double check the vulnerability docs for this and see if there are other methods of calling it. If that checks out then we can close this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment