Arbitrary Command Injection in strapi/strapi
Feb 17th 2022
When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link (https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.
Steps to Reproduce the POC
1) npx create-strapi-app my-project --quickstart --template ";touch poc.txt;" 2) Perform "ls" command and you will see that a file called "poc.txt" was created in the current directory.
An attacker can execute arbitrary os commands which can help him perform local privilege escalation to gain root access if strapi package can be run as sudo.
Fix / Solution
Sanitize the input of template parameter before introducing it to the execution context.
R.Srikar (email@example.com) & Abhishek S(firstname.lastname@example.org)