search

pirelenito / git-revision-webpack-plugin

πŸ— Webpack plugin that generates VERSION and COMMITHASH files during build
https://www.npmjs.com/package/git-revision-webpack-plugin
MIT License
358 stars 48 forks source link

Security Fix for Remote Code Execution - huntr.dev #53

Closed huntr-helper closed 4 years ago

huntr-helper commented 4 years ago

https://huntr.dev/users/Asjidkalam has fixed the Remote Code Execution vulnerability πŸ”¨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program πŸ’΅. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/git-revision-webpack-plugin/pull/2 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/git-revision-webpack-plugin/1/README.md

User Comments:

πŸ“Š Metadata *

Command injection vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-git-revision-webpack-plugin/

βš™οΈ Description *

The git-revision-webpack-plugin module is vulnerable against RCE since a command is crafted using user inputs not validated and then executed, leading to arbitrary command injection. The argument options can be controlled by users without any sanitization. It was using exec() function which is vulnerable to Command Injection if it accepts user input and it goes through any sanitization or escaping.

πŸ’» Technical Description *

The use of the child_process function exec() is highly discouraged if you accept user input and don't sanitize/escape them. I replaced it with execFile() which mitigates any possible Command Injections as it accepts input as arrays.

πŸ› Proof of Concept (PoC) *

Install the package and run the below code, you'll need to have a PDF to test:

var GitRevisionPlugin = require('git-revision-webpack-plugin');
var test = new GitRevisionPlugin({'gitWorkTree':'s', 'commithashCommand':'test; touch HACKED; #', 'branchCommand':'s'});
test.commithash();

A file named HACKED will be created in the current working directory.

image

πŸ”₯ Proof of Fix (PoF) *

After applying the fix, run the PoC again and no files will be created. Hence command injection is mitigated.

image

πŸ‘ User Acceptance Testing (UAT)

Only execFile is used, no breaking changes introduced.

JamieSlome commented 4 years ago

@pirelenito - let me know if you have any questions or thoughts.

Cheers! 🍰

pirelenito commented 4 years ago

Thanks for reaching out @JamieSlome, but as stated in the documentation:

This configuration is not not meant to accept arbitrary user input and it is executed by the plugin without any sanitization.

This was previously reported and closed. See: https://github.com/pirelenito/git-revision-webpack-plugin/issues/49#issuecomment-613617147

I'll close this PR for now, but ping me if you feel that the existing documentation solution is not sufficient.

Thanks.

JamieSlome commented 4 years ago

@pirelenito Thanks for the swift response and pointing this out.

Cheers πŸ‘