I would like to report a command injection vulnerability in egg-scripts.
It allows arbitrary shell command execution through a maliciously crafted command line argument.
module name: [egg-scripts]version:[2.6.0]npm page: https://www.npmjs.com/package/egg-scripts
“deploy tool for egg project.”
Replace stats below with numbers from npm’s module page:
209 downloads in the last day
1,958 downloads in the last week
8,333 downloads in the last month
egg-script does not sanitize the --stderr command line argument, and subsequently passes it to child_process.exec(), thus allowing arbitrary shell command injection.
npm i egg --save
sudo npm i egg-scripts -g --save
eggctl start --daemon --stderr=/tmp/eggctl_stderr.log; touch /tmp/malicious
ls /tmp/
eggctl stop
Command execution happens here:
const [ stdout ] = yield exec('tail -n 100 ' + stderr);
exec
could be replaced by execFile
, which would force developers to separate the command and its arguments.
Arbitrary shell command execution.