I would like to report a command injection vulnerability in egg-scripts.
It allows arbitrary shell command execution through a maliciously crafted command line argument.

Module

module name: [egg-scripts]version:[2.6.0]npm page: https://www.npmjs.com/package/egg-scripts

Module Description

“deploy tool for egg project.”

Module Stats

Replace stats below with numbers from npm’s module page:

209 downloads in the last day
1,958 downloads in the last week
8,333 downloads in the last month

Vulnerability

Vulnerability Description

egg-script does not sanitize the --stderr command line argument, and subsequently passes it to child_process.exec(), thus allowing arbitrary shell command injection.

Steps To Reproduce:

1. Install egg: npm i egg --save
2. Install egg-scripts: sudo npm i egg-scripts -g --save
3. Run eggctl with malicious argument: eggctl start --daemon --stderr=/tmp/eggctl_stderr.log; touch /tmp/malicious
4. Check that the injected command was executed: ls /tmp/
5. Stop eggctl: eggctl stop

Patch

Command execution happens here:

const [ stdout ] = yield exec('tail -n 100 ' + stderr);

exec could be replaced by execFile, which would force developers to separate the command and its arguments.

Supporting Material/References:

• Operating system: Debian GNU/Linux 9.5 (stretch)
• Node.js v8.11.3
• npm v5.6.0

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

Arbitrary shell command execution.