search

jakejs / jake

JavaScript build tool, similar to Make or Rake. Built to work with Node.js.
http://jakejs.com
Apache License 2.0
1.96k stars 190 forks source link

Possible command injection in jake with publishTask #391

Closed zpbrent closed 3 years ago

zpbrent commented 3 years ago

Hey, maintainers, I find a possible bug of command injection in your jake code. You can reproduce this bug by the following steps: Step 1: create a jakefile.js with contents as below:

//jakefile.js
let { publishTask } = require('jake');
publishTask('abc', {gitCmd: '$(touch HACKED);'}, () => {});
//end of jakefile.js

Step 2: then run the shell code jake publish fetchTags in your terminal (guarantee you run the command in the same directory where the jakefile.js you created before resides), then the illegal file HACKED can be created. Note that, you can replace the injected command touch HACKED with any other OS commands.

Please help to confirm whether this is indeed a bug and also whether the fix you like, thanks!

felix9 commented 3 years ago

Hi, thanks for the report, but I'm not sure I understand the problem.

Since a jakefile can already run arbitrary commands, I'm not sure how this is more vulnerable than that?

Consider the potential people involved:

  1. The author of a jakefile can have it run arbitrary commands. There's no particular reason to limit what the author can express.
  2. The user of a jakefile trusts the jakefile's author. If the user runs a jakefile from a malicious author, all bets are off. (This is not a problem to be ignored, but it's a large and complicated problem with no simple solution.)
  3. Some 3rd person has a way to inject an unintended command when a user runs a jakefile from a trusted author.

It's the 3rd scenario that I think would need a security patch, and I'm not sure how that would happen in what you've described here?

zpbrent commented 3 years ago

Hi, thanks for the report, but I'm not sure I understand the problem.

Since a jakefile can already run arbitrary commands, I'm not sure how this is more vulnerable than that?

Consider the potential people involved:

  1. The author of a jakefile can have it run arbitrary commands. There's no particular reason to limit what the author can express.
  2. The user of a jakefile trusts the jakefile's author. If the user runs a jakefile from a malicious author, all bets are off. (This is not a problem to be ignored, but it's a large and complicated problem with no simple solution.)
  3. Some 3rd person has a way to inject an unintended command when a user runs a jakefile from a trusted author.

It's the 3rd scenario that I think would need a security patch, and I'm not sure how that would happen in what you've described here?

Hi @felix9 , thanks for your quick response.

Do you mean I can directly call require('child_process').exec to run arbitrary OS commands in jakefile? If so, this is indeed not a bug, thanks!

mde commented 3 years ago

Jake by definition runs arbitrary JavaScript at the command line. This particular issue is not a vulnerability, in any way. Security is great and important, but I really wish people would stop with these bogus reports. At least understand what the tool is and how it works before reporting. This is a big waste of everyone's time.

mattiaskagstrom commented 2 years ago

This false-positive flags in OSS Sonatype: https://ossindex.sonatype.org/component/pkg:npm/jake