clickstream-ios icon indicating copy to clipboard operation
clickstream-ios copied to clipboard
verified publisher icon gojek

Fixed Command injection in cocoapods-downloader

Open imhunterand opened this issue 2 years ago • 2 comments

Changes:

The gojek/clickstream-ios used cocoapods-downloader 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

require 'cocoapods-downloader' options = { :git => '--upload-pack=touch ./HELLO1;', :branch => 'foo'} options = Pod::Downloader.preprocess_options(options) # ls -la
  • After Fixed
      it 'throws when proving an invalid input' do
          options = { :git => '--upload-pack=touch ./HELLO1;', :branch => 'foo' }
          e = lambda { Downloader.preprocess_options(options) }.should.raise DownloaderError
          e.message.should.match /Provided unsafe input/
        end

Operational Impact

CVE-2022-24440 CWE-74 CWE-88 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

imhunterand avatar Jan 22 '23 17:01 imhunterand

Hi @imhunterand thank you for the PR.

mas @AbhijeetMallick would you mind to check this? thank you

radityagumay avatar Jan 25 '23 03:01 radityagumay