Security Fix for Command Injection - huntr.dev

[huntr-helper]

https://huntr.dev/users/Mik317 has fixed the Command Injection vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/gulp-scss-lint/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/gulp-scss-lint/1/README.md

User Comments:

Bounty URL: https://www.huntr.dev/bounties/1-npm-gulp-scss-lint

⚙️ Description *

The gulp-scss-lint module was vulnerable against arbitrary command injection due to the fact user supplied inputs were taken and formatted inside a command which was then executed without proper checks.

💻 Technical Description *

I replaced exec() with execFile() in order to avoid that malicious authors could execute commands which don't use the scss-lint command (used by the library it-self).

🐛 Proof of Concept (PoC) *

var root = require("gulp-scss-lint");
var attack_code = "echo vulnerable > create.txt";
var opt = {
  "src": attack_code
}
root(opt);

🔥 Proof of Fix (PoF) *

Same PoC with fixed version doesn't lead to RCE:

👍 User Acceptance Testing (UAT)

All OK since execFile is used :smile:

Notes: The error you can see on the 2' screen is due to the fact I haven't installed the scss-lint utility :+1:

[juanfran]

thanks!

please next time run the tests, there were several broken that i'll fix on the master.