Closed gchiocchio closed 5 years ago
i agree with you...
Seems like this hasn't been fixed yet
@rdimascio already modified once, I don't know where there will be risks. 已经修改过一次,我不知道哪里会有风险。
because call system commands? 是因为调用系统命令?
Could it work to contact the individual who reported the incident? He may have specifics that you can react to. The advisory site https://www.npmjs.com/advisories/784 links his homepage, where there is email for him to be contacted.
Because node-os-utils fails npm audit, and passing npm audit is part of our build pipeline, we can't use it any longer.
@peterkingsbury Email sent, waiting for reply,Thanks for feedback.
@peterkingsbury @rdimascio @Zorono @gchiocchio
https://www.npmjs.com/advisories/784
Overview Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.
Remediation Upgrade to version 1.1.0 or later
Thank you all, Latest version 1.2.1
done = function done(){ console.log("Done!"); };
var DUMMY_FILE = './xyzzy';
var command = "$(touch " + DUMMY_FILE + ")";
function dummySource(val){ command += val; }
dummySource(' ');
var nodeosutils = require('node-os-utils') var exec = nodeosutils.exec; exec(command)();
executing this code resulted in the creation of a file "xyzzy" due to the execution of an injected command.
I just tried running this code with the current version of node-os-utils, and the vulnerability appears to have been eliminated.
package is signed as high severity vulnerability from npm
https://nodesecurity.io/advisories/784