fix: validate ip address before executing command for 'find'

DylanPiercey / local-devices

🔮 Find devices connected to the current local network.

MIT License

139 stars 27 forks source link

fix: validate ip address before executing command for 'find' #16

Closed DylanPiercey closed 4 years ago

DylanPiercey commented 5 years ago

Currently it is possible for an attacker to execute an arbitrary command on a host system by using the find api since the argument provided is passed directly into a command string.

eg:

var userInput = '127.0.0.1 | mkdir attacker';
find(userInput);

This PR fixes this potential security issue by first validating the IP address for the find api.

//cc @natterstefan

DylanPiercey commented 5 years ago

@natterstefan do you think it's fair to release this as a patch?

natterstefan commented 5 years ago

@DylanPiercey Yes, it's fair. But considering what's also waiting in master, I suggest we release a new feature version (we briefly talked about it already), don't you think? We must also update CHANGES.md, missed that in the previous PRs: https://d.pr/i/CJTWPm/Fr4qiTTkBY.