node-git-wrapper icon indicating copy to clipboard operation
node-git-wrapper copied to clipboard
verified publisher icon pvorb

Potentional security flaw

Open Gottox opened this issue 11 years ago • 3 comments

git-wrapper should never ever be used with unchecked values. It's currently not safe for productive usage and apparently was never intended for such a case. The way the arguments are converted to command line is insanely stupid:

var cmd = this.binary + ' ' + this.args + ' ' + command + ' ' + options + ' '
+ args

None of these arguments are checked for shell code or escaped in any way.

So try the following:

node -e 'var g=new (require("git-wrapper"))(".");g.args=";echo ABC";g.exec(";echo DEF", [";echo GHI"], function(e,m){console.log(m)})'

To fix this, you never ever should use exec but spawn instead

Gottox avatar Nov 09 '14 13:11 Gottox

Well, you always can inject something into your own code.

But thank you for mentioning it. I'll fix it, once I have the time.

pvorb avatar Nov 10 '14 09:11 pvorb

Please see the suggested fix - https://github.com/pvorb/node-git-wrapper/pull/10. Thanks! 🍰

JamieSlome avatar Apr 10 '20 16:04 JamieSlome

@pvorb Any chance on getting the PR above approved? Otherwise could I become a collaborator of this project? Thanks!

adelriosantiago avatar Feb 01 '22 00:02 adelriosantiago