cksource
Security Fix for RCE on "mrgit" - huntr.dev
https://huntr.dev/users/alromh87 has fixed the RCE on "mrgit" vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/mrgit/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/mrgit/1/README.md
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-npm-mrgit
⚙️ Description *
mrgit was vulnerable against arbitrary command injection cause some user supplied inputs were taken and executed with shelljs function without prior validation. After update Arbitary Code Execution is avoided
💻 Technical Description *
Comands are executed using shelljs without sanitization, leading to Arbitrary Code Execution, missing sanitization was added
🐛 Proof of Concept (PoC) *
Install the package and run the below code:
const diff = require( './lib/commands/diff' );
diff.execute({arguments:['test; touch HACKED; #'], toolOptions:{packages:'', }, repository:{directory:''}})
It will create a file HACKED in the working directory.
🔥 Proof of Fix (PoF) *
After fix no file is created
👍 User Acceptance Testing (UAT)
Commands can be executed normally
