Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential for command injection in printer/package/lib/printer.js #1

Closed
nodesecurity opened this issue Apr 26, 2013 · 2 comments
Closed

Potential for command injection in printer/package/lib/printer.js #1

nodesecurity opened this issue Apr 26, 2013 · 2 comments

Comments

@nodesecurity
Copy link

Overview

Untrusted input passed in to the printer attribute of the first argument to printDirect module can allow for command injection. This may be unexpected behavior for the caller.

Confirmed on version 0.0.1

Confirmed vulnerable. Examples:

var printer = require("printer");
printer.printDirect({data:"print from Node.JS"
, printer:"`ping google.com`"
, type: "TEXT"
, success:function(){
console.log("ok");
}
, error:function(err){console.log(err);}
});

Recommendation

  • If you do not need to execute within a subshell, it's recommended to
    usechild_process.execFile and pass in the arguments array.

Credit: Node Security Auditor

Adam Baldwin

Questions? Hit us up in #nodesecurity on freenode or email info@nodesecurity.io and reference this issue.

The Node Security Project
nodesecurity.io
@nodesecurity
@chieffancypants chieffancypants mentioned this issue Jun 28, 2013
Merged
@tojocky
Copy link
Owner

tojocky commented Jul 1, 2013

Thanks for Pull request

@tojocky tojocky closed this as completed Jul 1, 2013
@nodesecurity
Copy link
Author

Sorry for the double email, I miscommunicated to the node security
project team.

Ion wrote:

Thanks for Pull request


Reply to this email directly or view it on GitHub
#1 (comment).

@metasanjaya metasanjaya mentioned this issue Apr 2, 2015
Closed
tojocky pushed a commit that referenced this issue Sep 10, 2016
@kjlaw89
Merge pull request #1 from netPark/issue/140
71e4eac 
Fix memory leaks
@eblumenfeld eblumenfeld mentioned this issue Sep 28, 2016
Closed
@MissCuriosity MissCuriosity mentioned this issue Nov 24, 2016
Closed
@rizwansultan88 rizwansultan88 mentioned this issue Jun 15, 2018
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tojocky