Zorono
commented
5 years ago 
i agree with you...
Closed gchiocchio closed 5 years ago
Zorono
commented
5 years ago
i agree with you...
SunilWang
commented
5 years ago 
rdimascio
commented
4 years ago Seems like this hasn't been fixed yet
SunilWang
commented
4 years ago @rdimascio already modified once, I don't know where there will be risks. 已经修改过一次,我不知道哪里会有风险。
because call system commands? 是因为调用系统命令?
peterkingsbury
commented
4 years ago Could it work to contact the individual who reported the incident? He may have specifics that you can react to. The advisory site https://www.npmjs.com/advisories/784 links his homepage, where there is email for him to be contacted.
Because node-os-utils fails npm audit, and passing npm audit is part of our build pipeline, we can't use it any longer.
SunilWang
commented
4 years ago @peterkingsbury Email sent, waiting for reply,Thanks for feedback.
SunilWang
commented
4 years ago @peterkingsbury @rdimascio @Zorono @gchiocchio
https://www.npmjs.com/advisories/784
Overview Versions of node-os-utils prior to 1.1.0 are vulnerable to Remote Code Execution. Due to insufficient input validation an attacker could run arbitrary commands on the server thus rendering the package vulnerable to Remote Code Execution.
Remediation Upgrade to version 1.1.0 or later
Thank you all, Latest version 1.2.1
franktip
commented
4 years ago done = function done(){ console.log("Done!"); };
var DUMMY_FILE = './xyzzy';
var command = "$(touch " + DUMMY_FILE + ")";
function dummySource(val){ command += val; }
dummySource(' ');
var nodeosutils = require('node-os-utils') var exec = nodeosutils.exec; exec(command)();
executing this code resulted in the creation of a file "xyzzy" due to the execution of an injected command.
franktip
commented
4 years ago I just tried running this code with the current version of node-os-utils, and the vulnerability appears to have been eliminated.
package is signed as high severity vulnerability from npm
https://nodesecurity.io/advisories/784