Arbitrary Command Injection in strapi/strapi
Reported on
Feb 17th 2022
Description
When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link (https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.
Steps to Reproduce the POC
1) npx create-strapi-app my-project --quickstart --template ";touch poc.txt;"
2) Perform "ls" command and you will see that a file called "poc.txt" was created in the current directory.
Impact
An attacker can execute arbitrary os commands which can help him perform local privilege escalation to gain root access if strapi package can be run as sudo.
PoC (Proof)
https://prnt.sc/26xuo5z
Fix / Solution
Sanitize the input of template parameter before introducing it to the execution context.
Regards,
R.Srikar (zeltronsrikar@gmail.com) & Abhishek S(abhiabhi2306@gmail.com)
References
@admin, This issue is accurate but the severity doesn't really make sense as most of the time the only person that can use this vector is the developer running the command themselves on their computer. We are going to make a fix for the sake of it but it is far from being critical
@alexandrebodin - thank you for the information here!
You are welcome to adjust the severity of the report using the adjust severity
button on the action buttons in the right panel.
Let me know if you have any questions!
@admin it's a bit unclear where do we put the fix info. It wasn't fixed but the reporting person so not sure we should use the confirm fix button here. Can you walk me through that please
@alexandrebodin - if you click the Confirm fix
button, a modal will pop up asking about the branch and commit SHA that the fix exists on/at (it does not confirm a fix immediately). You will also be able to select who the fixer is too. Once you have filled this information in, you can submit the form.
Let me know if you have any more questions!