Closed zpbrent closed 3 years ago
Hi, thanks for the report, but I'm not sure I understand the problem.
Since a jakefile can already run arbitrary commands, I'm not sure how this is more vulnerable than that?
Consider the potential people involved:
It's the 3rd scenario that I think would need a security patch, and I'm not sure how that would happen in what you've described here?
Hi, thanks for the report, but I'm not sure I understand the problem.
Since a jakefile can already run arbitrary commands, I'm not sure how this is more vulnerable than that?
Consider the potential people involved:
- The author of a jakefile can have it run arbitrary commands. There's no particular reason to limit what the author can express.
- The user of a jakefile trusts the jakefile's author. If the user runs a jakefile from a malicious author, all bets are off. (This is not a problem to be ignored, but it's a large and complicated problem with no simple solution.)
- Some 3rd person has a way to inject an unintended command when a user runs a jakefile from a trusted author.
It's the 3rd scenario that I think would need a security patch, and I'm not sure how that would happen in what you've described here?
Hi @felix9 , thanks for your quick response.
Do you mean I can directly call require('child_process').exec
to run arbitrary OS commands in jakefile? If so, this is indeed not a bug, thanks!
Jake by definition runs arbitrary JavaScript at the command line. This particular issue is not a vulnerability, in any way. Security is great and important, but I really wish people would stop with these bogus reports. At least understand what the tool is and how it works before reporting. This is a big waste of everyone's time.
This false-positive flags in OSS Sonatype: https://ossindex.sonatype.org/component/pkg:npm/jake
Hey, maintainers, I find a possible bug of command injection in your jake code. You can reproduce this bug by the following steps: Step 1: create a jakefile.js with contents as below:
Step 2: then run the shell code
jake publish fetchTags
in your terminal (guarantee you run the command in the same directory where the jakefile.js you created before resides), then the illegal fileHACKED
can be created. Note that, you can replace the injected commandtouch HACKED
with any other OS commands.Please help to confirm whether this is indeed a bug and also whether the fix you like, thanks!