Описание
willitmerge has a Command Injection vulnerability
willitmerge describes itself as a command line tool to check if pull requests are mergeable. There is a Command Injection vulnerability in version willitmerge@0.2.1.
Resources:
- Project's GitHub source code: https://github.com/shama/willitmerge/
- Project's npm package: https://www.npmjs.com/package/willitmerge
Background on exploitation
Reporting a Command Injection vulnerability in willitmerge npm package.
A security vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concateanes user input, whether provided to the command-line flag, or is in user control in the target repository.
Exploit
POC 1
- Install
willitmerge - Run it with the following command
- Confirm the file
/tmp/helis created on disk
GitHub-sourced attack vector
Lines 189-197 in lib/willitmerge.js
pass user input controlled by repository collaborators into the git command:
Users creating malicious branch names such as ;{echo,hello,world}>/tmp/c
This is a similar attack vector to that which was reported for the [pullit vulnerability (https://security.snyk.io/vuln/npm:pullit:20180214)
Author
Liran Tal
Пакеты
willitmerge
<= 0.2.1
Отсутствует
Связанные уязвимости
willitmerge is a command line tool to check if pull requests are mergeable. In versions 0.2.1 and prior, there is a command Injection vulnerability in willitmerge. The vulnerability manifests in this package due to the use of insecure child process execution API (exec) to which it concatenates user input, whether provided to the command-line flag, or is in user control in the target repository. At time of publication, no known fix is public.