totaljs / framework

Node.js framework
http://www.totaljs.com
Other
4.36k stars 450 forks source link

Security Fix for Command Injection - huntr.dev #773

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

@hethvik (https://huntr.dev/users/hethvik) has fixed a potential Command Injection vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/framework/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/total.js/1/README.md

User Comments:

📊 Metadata *

total.js is vulnerable to Command Injection.

Bounty URL: https://www.huntr.dev/bounties/1-npm-total.js/

⚙️ Description *

Command injection vulnerabilities typically occur when:

  1. Data enters the application from an untrusted source.
  2. The data is part of a string that is executed as a command by the application.
  3. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have. Command injection is a common problem with wrapper programs.

💻 Technical Description *

Fixed by allowing supported images.

🐛 Proof of Concept (PoC) *

  1. Create the following PoC file:
// poc.js
const total = require('total.js');
let image = Image.load("");
let payload = ";touch HACKED;";
image.pipe(null,payload);
  1. Execute the following commands in terminal:
npm i total.js # Install affected module
node poc.js #  Run the PoC
  1. Check the Output using ls command before and after the execution. totaljs

🔥 Proof of Fix (PoF) *

After fix execution will block execution of external commands. totaljs_fix

👍 User Acceptance Testing (UAT)

After fix functionality is unaffected.

JamieSlome commented 3 years ago

@petersirka, if you want more security fixes and patches like this in the future, you can let security researchers know that they can win bounties protecting your repository by copying this small code snippet into your README.md:

[![huntr](https://cdn.huntr.dev/huntr_security_badge.svg)](https://huntr.dev)

👇 👇 👇

huntr