sync-exec icon indicating copy to clipboard operation
sync-exec copied to clipboard
verified publisher icon gvarsanyi

Security Fix for Insecure use of Tmp files - huntr.dev

Open huntr-helper opened this issue 5 years ago • 1 comments

https://huntr.dev/users/mufeedvh has fixed the Insecure use of Tmp files vulnerability 🔨. mufeedvh has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/sync-exec/pull/1 GitHub Issue | https://github.com/gvarsanyi/sync-exec/issues/17 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/sync-exec/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-sync-exec

⚙️ Description *

The project sync-exec was creating tmp files insecurely with fs.mkdir(), now that Node has a new builtin function to create tmp files fs.mkdtemp(), it's better to use that.

💻 Technical Description *

tmp files were created insecurely using fs.mkdir() which resulted in the vulnerability Insecure Temporary File Creation.

The fix is implemented using the new Node builtin function fs.mkdtemp() which is solely meant for creating tmp files. This function generates a randomly generated string as the filename as well.

dir = fs.mkdtemp(tmp_dir + '/sync-exec-');

🐛 Proof of Concept (PoC) *

No PoC was provided.

🔥 Proof of Fix (PoF) *

No PoC was provided.

:books: Reference:

  • https://cwe.mitre.org/data/definitions/377.html
  • https://github.com/babel/babel/issues/1093
  • https://nodejs.org/api/fs.html#fs_fs_mkdtemp_prefix_options_callback
  • https://advancedweb.hu/secure-tempfiles-in-nodejs-without-dependencies/

👍 User Acceptance Testing (UAT)

Ref: Example Test

var exec = require('sync-exec');

// { stdout: '1\n',
//   stderr: '',
//   status: 0 }
console.log(exec('echo 1'));

// You can even pass options, just like for [child_process.exec](http://nodejs.org/api/child_process.html#child_process_child_process_exec_command_options_callback)
console.log(exec('ls -la', {cwd: '/etc'}));

// Times out after 1 second, throws an error
exec('sleep 3; echo 1', 1000);

Outputs:

{ stdout: '1\n', stderr: '', status: 0 }
{
  stdout: 'total XXXX\n' +
    ...
    ...
    ...
    ...
  stderr: '',
  status: 0
}

huntr-helper avatar Aug 25 '20 10:08 huntr-helper

@gvarsanyi - let me know if you have any thoughts!

Cheers! 🍰

JamieSlome avatar Oct 23 '20 13:10 JamieSlome