Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for Arbitrary Code Injection - huntr.dev #150

Merged
merged 2 commits into from
Apr 26, 2021
Merged

Security Fix for Arbitrary Code Injection - huntr.dev #150

merged 2 commits into from
Apr 26, 2021

Conversation

huntr-helper
Copy link
Contributor

@ready-research (https://huntr.dev/users/ready-research) has fixed a potential Arbitrary Code Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | <=10.0.0
Bug Fix | YES
Original Pull Request | 418sec#1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @ready-research, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

Replace eval with JSON.parse

📊 Metadata *

json is a 'json' command tool for massaging and processing JSON on the command line.

Affected versions of this package are vulnerable to Arbitrary Code Injection via the -d argument.

Bounty URL: https://www.huntr.dev/bounties/1-npm-json/

⚙️ Description *

Describe your fix clearly and concisely - imagine you are describing it to a non-technical friend.

💻 Technical Description *

Replace eval with JSON.parse to avoid Code injection through the use of eval.

🐛 Proof of Concept (PoC) *

  1. Install using npm i json
  2. And execute
curl -sL 'https://api.github.com/repos/joyent/node/issues?state=open' | node_modules/json/lib/json.js -a created_at number title -d '""+require(`child_process`).execSync(`id`)//'
  1. Output: 2015-08-29T15:29:45Z"uid=1000(kali) gid=1000(kali) groups=1000(kali)...........
    json_vuln

🔥 Proof of Fix (PoF) *

json_fix

👍 User Acceptance Testing (UAT)

After the fix functionality is not affected.

ready-research and others added 2 commits March 31, 2021 14:21
@ready-research
Fix Code injection through use of eval
ef1638d 
Replace eval with JSON.parse
Merge pull request #1 from ready-research/patch-1
4a2c4fa 
Fix Code injection through use of eval
@trentm trentm mentioned this pull request Apr 26, 2021
Closed
@trentm trentm self-assigned this Apr 26, 2021
@trentm trentm merged commit 4114e32 into trentm:master Apr 26, 2021
trentm added a commit that referenced this pull request Apr 26, 2021
@trentm
doc, fix tests, and improve errors for '-d DELIM' change in #150
4a69ea3
@trentm
Copy link
Owner

trentm commented Apr 27, 2021

json@11.0.0 released today with this fix. Thanks.
https://www.npmjs.com/package/json

@JamieSlome
Copy link

@trentm - awesome! 🍰

If you want more fixes/disclosures like this in the future, feel free to add our badge to your README:

huntr

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@trentm trentm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@huntr-helper @trentm @JamieSlome @ready-research