blamer describes itself as:
Blamer is a tool for get information about author of code from version control system. Supports git and subversion.
Resources:
- Project's GitHub source code: https://github.com/kucherenko/blamer
- Project's npm package: https://www.npmjs.com/package/blamer
I'm reporting an Argument Injection vulnerability in blamer npm package.
This vulnerability manifests with the library's blameByFile() API,
which allows specifying the file path to run git blame on. However, the library
does not sanitize for user input or validate the given file path conforms to specific schema,
nor does it properly pass command-line flags to the git binary using the double-dash
POSIX characters (--) to communicate the end of options.
Thus, allowing users to exploit an argument injection vulnerability in Git due to the
--output= command-line option that results with overwriting arbitrary files.
- Install
blamer@1.0.1or earlier - Initiaizlie a new Git directory with commits in it
- Create the following script in that directory:
// you might need to set `type: module` in `package.json`
// if you're running this as a Node.js script initializex
// in an npm project
import Blamer from "blamer";
const blamer = new Blamer.default("git");
async function main() {
const file = "--output=/tmp/r2d2";
const result = await blamer.blameByFile(file);
console.log("Blame json: %j", result);
}
main();- Observe new file created on disk at
/tmp/r2d2
Liran Tal
The issue has been fixed at blamer@1.0.4